Business

Clock ticking and penalties mounting for data breaches

Businesses and individuals should be mindful of their rights and obligations under the new GDPR legislation being introduced in May
Businesses and individuals should be mindful of their rights and obligations under the new GDPR legislation being introduced in May Businesses and individuals should be mindful of their rights and obligations under the new GDPR legislation being introduced in May

WITH reports of personal data breaches hitting the headlines with alarming regularity, and the fast-approaching enforcement date for GDPR, businesses and individuals alike should by this stage be very mindful of their rights and obligations under the new legislation.

I believe the majority of us are fully aware and in many cases accept that our sensitive personal data is held by a multitude of third parties such as banks, GPs, booking agents and insurance providers.

Every time we use an app on our phone, it collects and processes sensitive information about us, from location, interests and jobs, to pictures, music tastes and restaurant preferences.

But is this volume and indeed nature of information really necessary to personalise the user’s experience and what recourse do we have if our sensitive personal data is hacked or breached?

Earlier this month, the UK’s Information Commissioner’s Office (ICO) reported that it was investigating 30 organisations as part of an inquiry into the use of personal data and analytics for political and commercial purposes. Facebook were included in this and are currently under investigation for their failure to protect their users’ data which may have led to 87 million users’ data being taken without permission.

The ICO’s report came shortly after the regulatory body was granted a warrant to search Cambridge Analytica’s headquarters in London and it is reported that since December 2015, Facebook was aware that the data had been shared with the UK based political data firm but failed to alert its users. While Facebook have since updated their privacy policy, this appears to me to be the latest example of too little, too late.

On May 25, the General Data Protection Regulations (GDPR) will come into force strengthening the rights for individuals in respect of personal data and providing individuals with more control in respect of their personal data. The new regulations are an ‘evolution in data protection’, according to Steve Wood, the ICO's deputy commissioner for policy, building on the already established foundations.

In line with the incoming regulations, the ICO appear to be upping the pressure on companies in advance of May 25. In January, they handed out a record number of fines to companies with the total in monetary penalties reaching a new high of £1.7 million.

With an increased focus on accountability, companies will be required to demonstrate their compliance and of note, from May, the upper limit on fines will increase from £500,000 to the greater of €20,000,000 or 4 per cent of annual turnover, figures that have potential to cripple any business.

Whilst businesses should be fully aware of their upcoming obligations in respect of the new regulations, individuals may not be aware of new rights afforded to them. These include, but are not limited to, the right of erasure (enabling individuals to have their personal data removed), and the right to have inaccuracies corrected.

Consent can no longer be inferred from silence, and companies will have to provide individuals with simple ways of withdrawing previously given consent.

:: Seamus McGranaghan is commercial director at O’Reilly Stewart Solicitors. For further information or advice he can be contacted on Seamusmcgranaghan@oreillystewart.com or 028 90321000.