Your plain English guide to GDPR: Part two of our mini series

PART TWO: Consumer rights and data breaches

Familiarise yourself with your customers’ rights

Under GDPR, your customers are given comprehensive rights that can be enforced in relation to the collection, processing or storing of their data.

These rights will limit how you handle customer data. So you will need to put procedures in place to ensure that you can both adhere to and service their requirements.

These rights are as follows (in plain English):

To be informed: Your customers have the right to be provided with information about how their data is processed and the reasons for processing. This type of information should be visible within your Privacy Policy.

To be given access: Your customers have a right to see what data your business holds about them.

If they issue a request to see the data, you need to be aware that – in most cases – you will not be able to charge for the service.

You will have one month to comply with any request, unless it is complex, in which case you can be granted an extension.

Remember to put internal security measures in place when releasing any sensitive data.

If a contact asks you to provide them with data, it would not be deemed unreasonable to request that they come into the office and present suitable identification to you.

This would certainly demonstrate that you are protecting your customers’ and businesses’ best interests.

Again, if this is going to be part of your data protection policy, ensure that it is documented in your Privacy Policy so that customers are made aware of it.

The right to erasure – also known as the “right to be forgotten”: Individuals have the right to have their data removed from your database at any time, provided that they are not currently benefiting from any of your services, or that you are contractually obligated to store their data.

This right applies when:

  • The personal data is no longer needed for the purpose(s) that it was collected.
  • The individual withdraws consent.
  • The individual objects to the processing in cases where there is no overriding reason for continued processing.
  • The personal data was processed unlawfully.
  • The personal data must be erased to comply with a legal obligation.

To move, copy, or transfer: You need to be aware that your customers have the right to obtain and re-use their personal data for their own reasons across different services.

So you will need to ensure that you can service their requirements to move, copy, or transfer their data easily and securely from one IT environment to another.

To be able to rectify or change: Your customers can have their personal data rectified if it is inaccurate or incomplete.

To restrict processing: Your customers have a right to ‘block’ or suppress processing of personal data.

 Can you handle a data breach?

To prepare your business for breach reporting, your team needs to understand what constitutes a data breach, and recognise that this is more than a case of lost personal data.

A data breach encompasses destruction, loss, unauthorised alteration, and unauthorised disclosure of – or access to – personal data.

To comply with GDPR, your business needs to implement procedures to detect, report and investigate data breaches.

The Information Commissioner’s Office (ICO) must be informed of all data breaches in which there is a high risk to the individual’s rights and freedoms.

A notifiable breach must be reported to the relevant supervisory authority within 72 hours of the organisation becoming aware of it, and the individual should be informed.

Failure to report a data breach could result in a fine of €10m or 2% of turnover. The fines for non-compliance are €20m or 4% of annual turnover.

Richard Combellack is chief commercial officer at BriefYourMarket. https://www.briefyourmarket.com/

Disclaimer: BriefYourMarket.com is not a legal or regulatory body. This article is for informative purposes only. To understand your position in relation to the GDPR, please consult a/your legal advice organisation

x

Email the story to a friend



5 Comments

  1. MichaelDay

    Max fines are 20 million Euros or 4% global turnover – reality is that this would need a Facebook proportion breach – everyone should however review security of data, particularly more sensitive aspects such as ID and bank account data which agents hold for Lettings and AML compliance reasons.

    I still visit offices where there is a post it note on the screen with the password for the system or where staff share passwords. Also, given increasingly transient nature of staff, what arrangements for protecting data when staff leave? – particularly with cloud based systems that can be accessed from anywhere?

    No no need to panic about GDPR but need for a few key things to be understood and actioned.

    Ask yourself – would you be happy for your personal data to be handled in the way your business handles it?

    Report
  2. MS8556

    Michael is correct on the max fines.

    Also as far as I am aware, you only have to report a breach to the ICO if it is going to infringe the rights of the individual.

    Report
    1. richard_combellack72

      Just to be clear yes Michael is right the €20 million / 4% of Global Turnover is the fine for breaching. I was referring to the fine for failure to report a known breach which is the €10 million / 2% of Global turnover.

      However, i have tried to stay away from the fines in the article as i believe this is, as Michael says, a serious breach to result in this level. However, what businesses do need to be equipped to do is understand what a breach is, when it is notifiable or not (when it essentially impacts on the consumer and their rights and freedoms).

      A good example in practice would be sending a landlord statement to the wrong landlord by outlook auto-completing. Providing all parties were informed and happy that the issue has been resolved and the data deleted from the wrong clients address then this would not require notification. An example that would require notification is accidentally using a To: line instead of Bcc: in outlook and sending your entire database of Landlords to each other. You can attempt to remedy by sending an apology and asking for deletion of the contact details from each party but in this instance i would inform the ICO.

       

       

      Report
  3. DarrelKwong43

    I am pretty sure we are not part of the Euro, so the fine will be in ££££££

    Report
    1. MS8556

      £17 million / 20 million Euros or 4% of turnover allowed under the new law.

      Report
X

You must be logged in to report this comment!

Comments are closed.

Thank you for signing up to our newsletter, we have sent you an email asking you to confirm your subscription. Additionally if you would like to create a free EYE account which allows you to comment on news stories and manage your email subscriptions please enter a password below.