GDPR: Prevention better than cure

In August, the Information Commissioner’s Office (ICO) fined telecoms provider TalkTalk £100,000 for a breach of the Data Protection Act 1998 (DPA). The breach affected up to 21,000 TalkTalk customers, and follows the £400,000 fine issued by the ICO in October 2016 for a previous failing.

However, the DPA will be superseded by the General Data Protection Regulation (GDPR) when its provisions take effect on 25 May 2018. The GDPR is significantly more prescriptive than the DPA, and includes heavy penalties, and organisations are expected to be compliant from day one. The TalkTalk fine therefore comes as a timely reminder to organisations that data protection compliance is mandatory, not optional.

The enforcement activity taken against the telecoms giant confirms that the ICO will take action against non-compliant organisations. However, in the same week as the TalkTalk fine, the ICO posted a blog aimed to dispel several myths about the GDPR, in particular scaremongering suggestions that the ICO will be making early examples of organisations for minor infringements or that maximum fines will be the norm.

The post comes at a time when many GDPR-related service providers have used the heavy penalties to instil a sense of fear, uncertainty, and doubt in their target market to drive sales. The result is that many organisations may be left wondering how real the risk of enforcement action is and how they should address it.

There is no doubt that the GDPR marks a sea change in data protection. The law has evolved to reflect the exponential growth in the use of personal information and the greater risk of harm to individuals where their personal data is misused. Last month, the UK government announced the Data Protection Bill, which will implement the provisions of the GDPR, in a bid to establish the UK as the gold standard for data protection. While the ICO may “have always preferred the carrot to the stick”, organisations are expected to take steps to address compliance, and face the consequences where they fail.

Firms now have less than 12 months to prepare for the GDPR, and must start now if they have not already done so. The highest level of management must be aware of the new law and its implications, and devote appropriate resources to compliance.

As a first step, organisations must ascertain the personal data they hold (for example, about their employees, customers, and suppliers), and ensure it has been collected and used in accordance with the principles of the GDPR (which are broadly the same as those of the DPA). The GDPR includes an accountability principle, which means that organisations must not only comply with its provisions, but be able to demonstrate compliance – in other words, they must take steps such as adopting policies, training staff, and designating responsibility for data protection to a member of staff.

Security is a key component of data protection and extends beyond technical solutions: the latest TalkTalk breach arose from ‘rogue’ employees in the supply chain. With data protection, prevention is better than cure, and firms should act now.

James Castro-Edwards is a partner and head of data protection law at Wedlake Bell

@JCastroEdwards| wedlakebell.com