GOOD PRACTICE GUIDE Data protection: what the big the changes mean to you
The Data Protection Act is about to be changed becoming tougher, and only about a third of businesses are ready for it - particularly those in the arts and creative industries. It will bring the UK into line with Europe and nothing, not even Brexit, will slow its implementation. Lawyer Karen Holden, who has made a speciality of the law around data protection, explains
On May 25 the General Data Protection Regulation (GDPR) will replace the current Data Protection Act 1998 (DPA). It will carry a new set of rules and huge changes on how data is being stored and processed by companies and enterprises, and the new development is going to give citizens more power when it comes to personal data. The change has come about due to increased online activity, and it will mean severe repercussions for businesses that do not follow the new policies and rules so it is better to start preparing now.
The design of GDPR not to dissimilar to that of the DPA, but the level of compliance is going to be dependent on how much data, and the type of data, is collected. You must, however, still afford privacy protection, notification and consent and protect the information by secure storage, regardless of your company's size. GDPR places a larger focus on protecting an individual’s rights about their data, so that when companies collect and process the data,they must also justify the legality of it.
Someone's personal data could simply be their name or address, but could extend to details including fingerprints, DNA and recorded calls. Under the GDPR, personal data will refer to any information that can relate to a single person. All of this information will be covered and protected by the GDPR.
If you record phone calls you must:
- Receive consent from the individual(s) in the phone call to record;
- Justify the necessity of the recording, i.e. to fulfil a contract, or for legal requirements;
- Protect the interests of participants;
- Be sure the recording is in the public interest, or necessary for the exercise of the official authority.
- Be aware that the interests of the recorder will be overridden if they conflict with the interests of the participants in the call.
When a company is using call recording to monitor customer service it must still fulfil the first condition to be fully compliant. The fifth condition can also apply - it could be argued that staff quality assurance outweighs the interest of privacy, which it must not.
Under the DPA, when a recording takes place the individual must be informed of the purpose and how the information will be processed. If the participant continued the call consent was assumed, and this was acceptable and common practice. That is no longer enough - the GDPR implements tighter regulations, and there must be express consent given, either by recording verbal consent or having terminating the call if consent is not given.
Rights to access data are also changing. Individuals will now have absolute access to any information stored about them, and this will need to be identified, retrieved and provided to them upon request. Therefore, as a business you must implement an efficient method of doing this on request. In addition, should the individual request to have your details removed you must do so with immediate effect. Any policies that are put into place to ensure this is done must be co-ordinated with your IT and call recording provider to ensure you can fulfil your claims.
Businesses must actively display their compliance to the new rules under the “Principle of Accountability”, and the GDPR stresses the importance of implementing data protection systems with immediate effect. Creating an extensive policy is not going to be useful if your staff and providers are not going to be able to fulfil the obligations, so having an honest and realistic policy will be most effective and will be easier to demonstrate if you need to prove fulfilment.
In order to implement any policy effectively there are several steps that must be completed, including drafting policies and protocols, and training staff to make them fully aware of the new provisions followed by careful management and implementation.
And there be penalties for breaches, and organisations could be fined up to £500,000 or, under the new GDPR, fines can range from 2-4% of global turnover, depending on how severe the case was. These fines are designed to have a large impact on non-compliant companies, so it is important to act now.
We believe that the best place to look when deciding what improvements and changes need to be made you need to have a full understanding of your business, its operations and the date you really need to be collecting. All polices created should be bespoke on a client by client basis, on what can be achieved, based on size, budget, suppliers and compliance.
Karen Holden is the founder of A City Law Firm