The family home will often be the most important matrimonial asset during any divorce case, and a...
The General Data Protection Regulations (GDPR) comes into force on 25 May 2018, which is scarcely seven months away. There has been a lot written about the vastly increased fines which will be available to the Information Commissioner’s Office (ICO), up from the present maximum of £500,000 to €20 million or 4% of annual turnover, whichever is the higher, for the most serious breaches.
However, the Information Commissioner has been writing reassuringly for businesses with regard to these increased powers to fine that GDPR is an “evolutionary not revolutionary” step in the law and the ICO “has always preferred the carrot to the stick”. According to the ICO of 17,300 cases investigated last year, only sixteen resulted in a fine. Issuing fines is and will continue to be a “last resort” and any fines that are issued will be “proportionate”.
One of the aims of GDPR is to encourage organisations to improve their data security, and in order to do this, the regulations introduce a data breach reporting system which requires all data breaches that may result in a risk to individual freedoms or rights to be reported to the ICO. If there is a high risk to such freedoms or rights then the individuals concerned need to be informed as well. If a data loss incident is reportable, the ICO should be informed without undue delay and ideally within 72 hours of the organisation becoming aware of the incident. Such notification should include details concerning the nature and scope of the data loss and what steps the organisation is taking to address the situation. Fines can be avoided in these situations if organisations adopt an open and honest policy and “tell it all, tell it fast, tell the truth”.
Because of the potential fines, less attention has been focussed on the increased rights that data subjects will have under GDPR, which include the right to claim compensation for distress where no actual harm or loss is suffered. The reputational damage to organisations who lose their customer’s data or breach GDPR will also be a significant factor to ensure that organisations in future develop a culture of putting the privacy of customer data at the heart of everything which they do, and in so doing adopt a “privacy by design” approach rather than this aspect being an afterthought.