The United Kingdom’s General Data Protection Regulation (UK GDPR) is hugely important for all organisations who collect and process personal data. It applies to all controllers and processors of personal data and places legal obligations on them. The GDPR also provides principles that should be followed by organisations when dealing with personal data and gives individuals rights in relation to their data. Failure to comply with the GDPR has the potential to cost organisations huge sums of money if penalties are imposed by the Information Commissioner’s Office (ICO).
We explore what exactly the GDPR is and what the penalties are for failure to comply, so that your Data Protection Officer can ensure compliance with the regulations.
Principles of GDPR
One of the key components of the GDPR is the principles; these principles lie at the heart of the GDPR. Contained in Article 5, the principles of the GDPR require that personal data shall be:
- processed lawfully, fairly, and in a transparent manner;
- collected for a specified, explicit and legitimate purpose (purpose limitation);
- adequate, relevant, and limited to what is necessary for the purposes they are processed for (data minimisation);
- accurate and kept up to date (accuracy);
- kept for no longer than is necessary for the purposes that the data is being processed for (storage limitation);
- processed in a manner that ensures the security of the personal data (integrity and confidentiality/security).
- The controller shall be responsible for and be able to demonstrate compliance with the principles under Article 5(2) (accountability).
Following these principles is key to an organisation’s compliance with its data protection obligations and should be the starting point when considering any processing activity.
Obligations placed onto controllers and processors
The GDPR places legal obligations onto controllers and processors, which include such as:
- Controllers must ensure your contracts with processors comply with the GDPR.
- Processors are required to maintain records of personal data and processing activities and have more legal liability in the event of a data breach.
The lawfulness of processing must also be established and evidenced before you can process any personal data. It is very important that organisations determine their lawful basis and document this.
What data protection rights does the GDPR provide to individuals?
There are a number of rights provided to individuals (data subjects) under the GDPR, and these are:
- The right to be informed, e.g., through a privacy notice. There is a big emphasis on transparency, and the information provided should be concise, transparent, easily accessible, and easy to read.
- The right of access which provides individuals with the right to obtain confirmation that their data is being processed and access to their personal data (e.g., through a Subject Access Request).
- The right to rectification which provides that individuals are entitled to have their data rectified if it is inaccurate or incomplete.
- The right to erasure/the right to be forgotten. This right enables an individual to request that their data be deleted/removed when there is no real reason for its processing.
- The right to restrict processing enables individuals to effectively block the processing, but it can still be stored. The processing may be restricted in circumstances such as where the accuracy of data is brought into question.
- The right to data portability allows individuals to obtain and reuse their personal data and allows them to move/copy their data easily in a safe and secure way.
- The right to object means that individuals have the right to object to:
- Processing based on legitimate interests or the performance of a task in the public interest.
- Direct marketing.
- Processing for purposes of scientific/historical research and statistics.
What are the penalties for failing to comply with the GDPR?
For serious breaches, the UK GDPR (and the DPA 2018) sets a maximum penalty of £17.5 million or 4% of annual global turnover (whichever is greater). Recently, TikTok were fined a huge £12.7 million for various breaches of compliance.
This is not to say that all infringements will result in large fines, and there are other actions that the ICO can issue, such as warnings/reprimands, imposing bans on data processing (both permanent and temporary), ordering rectification or erasure of data, and suspending data transfers.
The ICO tends to focus on issuing large fines to organisations that have caused reckless or deliberate harm and is unlikely to take action against organisations that are genuinely seeking to maintain compliance or where there has been a genuine mistake when acting in good faith.
How can DPAS help?
Fully understanding the GDPR can be a difficult and daunting prospect, but that’s why here at DPAS we have data protection professionals and a range of services to support you and your organisation on your journey to GDPR compliance; whether you want to work with an outsourced DPO or train your own team.
If you’d like to talk to us more about how we can help, either give us a call on 0203 3013384 or send us an email at info@dataprivacyadvisory.com – or fill in a contact form and we’ll get in touch with you.