Companies "unprepared" for new data protection laws

Stephen Chapman's picture
by Stephen Chapman

Firms could face fines of up to €20 million if they don’t abide by new data protection laws.

It’s less than a year before the General Data Protection Regulation (GDPR) comes into force, which changes the requirements for the way personal data is collected. This means that some customer databases may not be valid for marketing purposes.

“There has been data protection legislation in Great Britain since 1984 when the first Data Protection Act was introduced, but despite its increasing prominence, many business owners are still in the dark about what it could mean for their business. Some don’t even realise that it applies to them,” explained James Pressley from Kirwans law firm in Liverpool.

“Firms are being prosecuted for non-compliance right now under the Data Protection Act 1998, with current fines capped at £500,000. However, when the GDPR comes into force, the amount of fines which can be handed down will see a substantial rise, and could reach as high as 4pc of turnover, or €20 million, whichever is greater.”

The current act applies to a business if it processes personal data, or anything which can identify an individual, such as a name, email address, telephone number or IP address. The term “processing” is a wide one and includes anything held on a computer or paper filing system.

“This means that if you deal in any way with consumers, or even if you just hold personal details for your employees, the Data Protection Act says that you must register with the Information Commissioner,” continued Pressley.

One of the biggest changes in the law will be that people will have to give “explicit” consent for their data to be processed.

“Under the GDPR, the onus is on you as the business owner to make sure that you have explicit consent. You must be able to demonstrate that consent was given and you will bear the burden of proof that consent was validly obtained. Individuals can notify you at any time that they no longer agree to you processing their data,” said Pressley.

“The logical consequence of this would seem to be that, if you have been running a ‘soft opt-in’ system, then as of 25 May, 2018, none of your database of customers can be used for marketing purposes. It would therefore make sense to switch to an active opt-in system as soon as possible.”