Defining your franchise’s data defence duties

We live in an age where personal information is valuable currency. Developments in technology and the growth of online activity mean that an update to the existing Data Protection Act 1998 is long overdue. Cue the General Data Protection Regulation (GDPR), which comes into force in May 2018. The new legislation has been described as a game-changer and the Information Commissioner’s Office is urging businesses to prepare for its introduction. But is the hype justified?

The current regime

We currently operate under the Data Protection Act 1998. The act applies to almost all processing of personal information, which means any information that can be connected to a living individual – for example, staff records or a customer email address. Only information that relates to individuals is covered, so information relating to an individual contact at a particular company would be protected but information relating to the company itself is not.

The act sets out eight data protection principles that any business that deals with personal information must comply with. First of all, the information may only be processed “fairly and lawfully”. This effectively means that you have to tell people what information you hold about them and explain why and how you will use their data. You may also only be able to use their information in certain, limited ways. In addition, there are obligations to ensure information is secure, keep records up-to-date, securely dispose of them when they’re no longer required and only transfer data outside the EU when the recipient offers adequate protection.

Additionally, the act gives individuals various rights, including a right to access the information that’s held about them, the right to stop their information being used for direct marketing and the right to compensation for breaches of the act.

The act distinguishes between the owners of personal data – data controllers – and organisations that process data on behalf of the owner – data processors. For example, if a company outsources its payroll, it will be the data controller and the payroll provider will be a data processor. On top of this, the act also regulates the relationship between data controllers and processors.

Finally, the act describes certain types of information as sensitive personal data and expects organisations to go to greater lengths to protect this data. The classes of sensitive information include data relating to an individual’s health, ethnic origin, criminal records, religious as well as political beliefs and sexual orientation.

GDPR versus The Data Protection Act

On May 25 2018, we will say sayonara to the Data Protection Act as it is replaced by the GDPR. But is the GDPR really a game changer? There are many similarities between the two regimes. The concepts of personal data and sensitive personal data essentially remain the same, although sensitive data is rebranded as special data. The data protection principles are also largely repeated, although they are in some cases extended. The definitions of data controllers and data processors remain unchanged, although the obligations on data processors are significantly increased.”

That being said, there are some significant differences between the two regimes that could have far reaching implications. The first is the addition of the accountability principle. From May 2018, it won’t be enough to comply with data protection principles – you will also need to show how you’re complying. In practice, this is likely to mean more policies, internal audits, staff training and record keeping.

The second is the introduction of explicit consent. Until now, many businesses have relied on individuals giving implied consent to their personal information being processed. In the future, this is unlikely to be enough. The use of pre-ticked opt-in boxes or relying on the fact that the individual has not done anything to indicate that they don’t want their data processed will no longer suffice.

Where consent to processing is set out in writing – for example in a contract or terms of business – this will need to be written in plain English and highlighted in a separate part of the document. This means many businesses will need to review and update their standard terms and contracts. Businesses will also need to keep records of when and how consent was given and individuals will have the right to withdraw consent at any time.

New provisions have been included relating to children’s personal information and in particular to any online services offered to children. Any internet service aimed at children will now require the consent of a parent or guardian.

There will also be stricter rules in relation to profiling: automated processes that are used to evaluate personal characteristics and try to predict the individual’s behaviour, interests and movements. Businesses will need to consider whether any of their current activities fall within the definition of profiling and, if so, decide what action is needed to ensure they’re complying.

Ignore at your peril

In the past, the Data Protection Act was easy to ignore and there weren’t any real penalties if you did. Things got more interesting when the ICO introduced its enforcement department, beginning to issue fines of up to £500,000 for non-compliance and naming and shaming offenders. At that point, ignoring data protection wasn’t such a great strategy anymore.

There will be a further shift under GDPR. New rules will be introduced that require organisations to report breaches to both their regulator and the affected data subjects. This means that if, for example, the laptop containing your customer list is stolen, you may have to write to all of your customers and tell them. And from May 2018, the maximum fine for breaches will be increased to an eye-watering €20m or 4% of the global, annual turnover of the organisation, whichever is higher.

What to do next

Given the upcoming changes, businesses will need to consider the gaps in their current data-protection strategies and begin prioritising and tackling the areas of concern. The ICO will continue to issue guidance on the new regime over the next 12 months and, of course, franchises should also seek advice from their solicitor.