GDPR: One week to go!

Friday 18 May 2018

With just a week until new data protection laws come into force, Bedell Cristin has offered some advice.

The law firm said that businesses are "rushing to get their houses in order" and said that the recent Facebook-Cambridge Analytica scandal has put the issue even more under the spotlight.

In a statement, Bedell Cristin said under the current data protection regime, Facebook should expect to pay up to £500,000, which is the maximum fine under the Data Protection Act 1998 (DPA). However, had the data breach occurred after 25 May, that fine could have been to the tune of £1bn.

Bedell Cristin said, with such potentially astronomical fines, it's no wonder that data protection news has been focused on the responsibilities of businesses under the GDPR.

The law firm said individual employees also have duties and potential liabilities.

'Before delving into the use of personal devices for work purposes, the concept known as 'bring your own device', it is useful to remind ourselves that personal data processed by an individual only for the purposes of that individual’s personal, family or household affairs (including recreational purposes) are exempt from the data protection regimes.

"Furthermore, employers are "data controllers" and employees are "data recipients". Data controllers have duties and liabilities under the regimes whereas recipients do not. However, recipients are indirectly responsible for respecting the principles as they are liable to their employer who must ensure that any employee with access to personal data is reliable."

The statement continued, explaining that it is possible, however, for employees to be regarded as data controllers if they act beyond the scope of their employment which would then hold them accountable under the data protection regimes.

'Furthermore, when an employee gets access to employer databases through, or stores work related data on, their personal electronic device, the employer maintains its role as data controller in relation to that data. This does not mean that it becomes controller of all the data stored/processed on that device, but for the data they are controller of, they must apply the same data protection principles which can present challenges. The UK Government has produced guidance for organisations in this respect, which includes creating an effective BYOD policy, limiting the information shared by devices, and planning for security incidents."

A further challenge in relation to BYOD for data controllers is balancing data protection responsibilities with the employee's right to privacy.

"A breach in this respect could also amount to a breach of the law, and so it is recommended that employers use software which effectively separates personal and company data on, or accessed through, the same device.

"As an employee you remain liable to your employer in relation to the company data once you leave the office. Having 24-hour access on your own device is likely to increase the chances of breaching your company's data protection policy, or make it easier to effectively assume the role of data processor yourself. That said, your employer is first and foremost responsible and liable under the law to prevent this from happening. In the case where you lose your unsecured device and someone else retrieves the company data from it, your employer will be legally liable and you will be liable to your employer."

Under the new GDPR regime, from 25 May onwards, the situation will remain much the same for employees and for the use of BYOD. Bedell Cristin said:

"You should expect, however, to be held to a much higher data protection standard. With much broader and more stringent requirements on controllers, as well as the sobering new penalties for breach, employers will ensure the highest standards of policy, security and training in relation to you and the use of BYOD are enforced.

"Although BYOD may represent a further potentially huge liability with the incoming data protection regime, it has nevertheless become an integral tool within many business sectors. You should therefore treat it like any other element of your company's filling system - with the utmost diligence and security."