Will Brexit Make Any Difference?
The impact Brexit will have on data protection depends on whether the UK exit the EU with a deal or without a deal. If the UK exit with a deal, it will be business as usual, as provision for data protection will be made in the Withdrawal Agreement and the UK will need to continue to comply with the same European GDPR standards when processing personal data. If the UK exit without a deal, the position is, potentially, much more complicated.
A UK version of the GDPR will be introduced and the UK will be required to protect personal data to the same standard as the EU. However, if organisations in the EU wish to send personal data to the UK they will need to demonstrate that they have suitable safeguards in place to protect the personal data, such as suitably worded contracts.
Whilst this is the responsibility of the companies in the EU, if UK businesses wish to continue their trading relationships with EU organisations, it will be in the interests of the UK organisations to assist with putting these safeguards in place.
Should I Disclose Emails Under a Subject Access Request?
When an individual makes a SAR, they are entitled to all personal data you hold about them (unless an exemption applies). This includes all emails that relate to them.
If you keep emails forever, it could be a mammoth task to locate and disclose the emails. Avoid this by ensuring that you securely and permanently delete emails when you no longer need them, in accordance with your Retention Policy. Secure and permanent deletion does not mean moving the emails to your deleted box or archive box, as they can be recovered from there.
Ensure that you delete the emails and delete them from your deleted box.
What is the Maximum Penalty for Non-compliance?
Under the GDPR, there is a two tier system for fines. The maximum penalty under the first tier is €10 million or 2% of global turnover, whichever is the greater. The maximum penalty under the second tier is €20 million or 4% of global turnover, whichever is the greater.
The first tier is used when organisations do not adhere to their responsibilities under the GDPR, including (amongst other things) failing to implement appropriate technical and organisational measures to safeguard personal data, failing to introduce data protection policies and procedures, failing to enter into GDPR compliant contracts, failing to appoint a Data Protection Officer (if required), failing to carry out Data Protection Impact Assessments (if required) or failing to report a personal data breach (if required).
The second tier is used if organisations do not comply with the Data Protection Principles, do not have a legal basis for processing personal information, do not obtain valid consent, do not respond appropriately when an individual wishes to exercise their rights under the GDPR or they unlawfully transfer personal data outside the EU.
How Do I Know if my Organisation is Compliant?
If you are unsure if your organisation is data protection compliant we can assist by providing a review of your systems and procedures or conducting a full data protection audit in order to identify any areas which need attention.
How Much Training is Required?
Training in data protection needs to be provided to everyone that processes personal data to ensure that they are clear about their responsibilities and understand what they can and cannot do when processing personal data. Annual refresher training should also be carried out.
Who Regulates Data Protection?
The Information Commissioner's Office regulates data protection compliance in the UK. If they receive a complaint about your business, they will carry out an investigation and may direct you to take action to rectify any areas of concern and/or impose a hefty penalty. They will also publish information about their findings on their website which could damage your reputation.
Why Do I Need to Worry About Data Protection?
The GDPR applies to most organisations in the EU. It also applies to organisations outside the EU, if they offer goods or services to individuals in the EU or monitor the behaviour of individuals in the EU. For example, companies outside the EU that carry out profiling or on line tracking of individuals in the EU will need to comply with the GDPR.