January 20, 2018

GDPR: Massive Data Protection Shake-up Imminent

Europe’s General Data Protection Regulation becomes law on 25 May 2018, after which the Information Commissioner will be able to impose penalties of up to £18 million (20 million euro) or 4% of a company’s global turnover for data protection breaches.

We’re all aware of the major problems that can result from vast data hacks. And we’ve all been pestered with PPI cold calls.

GDPR is intended to address these sorts of issues – it’s about empowering people to take control of their own personal data and prepare the UK for digital life beyond Brexit.

The problem is that this all has – however inadvertently – a massive, intrusive effect on businesses.

So how is the UK planning for GDPR under a Brexit-led agenda?

A Bill to change corresponding UK domestic legislation is passing through Parliament. It started life in the House of Lords and is expected to move to the House of Commons shortly.

Frustratingly, it’s unlikely to become law until March or April; which unhelpfully means the Information Commissioner’s Office is unlikely to publish detailed guidance for employers before then.

The Data Protection Bill (HL) 2017-19 is intended to make the UK fit for the digital age.

Some organisations are frantically scrabbling around for helpful guidance. Others remain blissfully ignorant of the impending sea-change in data protection. Yet more are looking the other way and hoping or burying their heads in the sand.

Every business is affected but it’s believed 70% have still done nothing yet.

What does GDPR (and the Data Protection Bill) affect?

GDPR isn’t just about employing people, of course.

Unsurprisingly, it affects your mailing lists and customer records. But what about communication – encrypting email which is notoriously insecure, for instance? What’s the impact on your company’s web presence? And will your use of CCTV cameras and vehicle trackers be GDPR compliant?

Every business and organisation will (or should) be going through a GDPR compliance process in preparation for the Regulation taking hold in May.

How can Moorepay help with GDPR compliance from a HR perspective?

We can help you with any HR implications arising from GDPR compliance – most of our clients are entitled to an annual review of their employee handbook and principal statements, and the current round of reviews is concentrating on making your employment documents GDPR-compliant.

We will also be providing appropriate communications for you to issue to current staff to explain the changes.

If your contract includes a review visit, we will sit down with you to go through the HR implications of GDPR.

If it doesn’t, we can offer an on-site GDPR overview for £450 plus VAT and travelling expenses.

We can also provide a full GDPR HR consultancy package.

This includes:

  • an initial familiarisation session
  • gap analysis & recommendations
  • an action plan to achieve compliance
  • plus a management or employee GDPR awareness webinar

This package starts from £1,550 plus VAT.

What are the risks (and consequences) of ignoring the GDPR?

The days of storing employee records in a shoebox in the stationery cupboard are over, and the use of pre-defaulted “tick box” approval is no more.

The Information Commissioner (ICO) will be targeting businesses both big and small under GDPR, although the biggest businesses (with the most significant data breaches) will undoubtedly face the largest penalties.

As an example, UBER – the besieged taxi hailing service – is now facing a massive, self-imposed data protection meltdown.

Back in 2016, it concealed a gigantic hack which affected over 56 million customers and 600,000 drivers worldwide. Allegedly, 2.7 million UK customers had their data stolen.

Instead of disclosing the breach, as they were legally obliged to do, they covered it up and even paid the hackers $100,000 dollars to bury the problem.

Now UBER is facing at least four lawsuits, while the Californian authorities are pursuing a criminal investigation.

More interestingly, the European Union’s GDPR Working Party has also established a taskforce to investigate.

Led by the Dutch Data Protection Authority (UBER has its European HQ in Holland), France, Italy, Spain, Belgium, Germany and the UK are also involved.

So it’s pretty clear that Europe sees the UBER investigation lasting until GDPR is in place and those massive fines can kick in.

But don’t be lulled into a false sense of security that GDPR only targets multi-national, big business.

Small and medium sized organisations are just as likely to find themselves in the firing line, and many SMEs have already faced action from the ICO for data failures under existing legislation.

Those who ignore GDPR could just as easily find themselves in the dock alongside UBER.

Want a round-up of stories like this delivered to your inbox?

About the author

Mike Fitzsimmons

Mike is a Senior HR Consultant within the Moorepay Policy Team. He is responsible for the developing of employment documentation and is an Employment law advisor. With over 30 years of senior management and HR experience, Mike has managed teams of between 30 and 100 employees and is familiar with all the issues that employing people brings. He has also served as a non-executive director on the Boards of several social enterprises and undertook a five year tour of duty as Executive Chair of a £30+ million annual turnover Government agency.