When the Freedom of information Act (FOIA) came into force in the UK in January 2005 there were over a million information requests in the UK. If GDPR causes a similar reaction companies could face lawsuits if they’re not prepared to deal quickly with requests warn security experts.
Possible Lawsuits For Many Businesses
As an IT Support Company in Hertfordshire we know how important compliance is for businesses, particularly where data security is concerned. In May 2018, the EU’s General Data Protection Regulation (GDPR) is due to come into force.
Security experts are now saying that based on the experience of the introduction of the FOIA it may be reasonable to assume that GDPR could prompt a larger number of requests on its introduction. These requests could come from privacy advocates, consumers and members of the media. If companies are not fully prepared for GDPR and fail to respond quickly enough or in a satisfactory way, these people could complain to the regulator.
Profiling could also be one of the areas that could attract litigation.
Profiling as described in GDPR is “any form of automated processing of personal data consisting of using those data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.”
One of the dangers of this aspect of GDPR from a business point of view is that it clearly complex and could therefore leave a company open to lawsuits if the subject is not fully addressed prior to the introduction of GDPR.
A recent survey for example by PwC for example showed that 98% of organisations have no idea what they are going to do to ensure they are GDPR compliant.
The Legal Profession Gearing Up.
As an IT Support Company in Hertfordshire we know how in the digital age, data security and data management have become more complicated and more important to be fully up to speed with. Some security commentators have also pointed out that for example the legal profession is already preparing itself for the introduction of GDPR in terms of how to build a market for litigation as well as ensuring that they fully understand the many different aspects of the Regulation and its implications.
What Does This Mean For Your Business?
In short, preparation is the key to protecting your business. Your organisation, right from the boardroom down should be fully aware of what GDPR means, and how your business practices and data security will need to be changed to ensure compliance.
Ensuring that your company’s profiling activities are not likely to leave you open to ‘data subject consent’ problems will be important. Profiling activities each need to be the subject of your own mini privacy impact assessment (PIA) to make sure that they fall under GDPR. If they don’t and can’t be modified, then there is an argument that they are not essential to the business.
Fewer profiling processes can mean that your company’s risk is easier to understand. Profiling should also be clearly described in your privacy notices.
Other preparations that your business could make to avoid litigation over GDPR include amending contracts or building consent mechanisms, and putting technologies and processes in place for dealing with objections to profiling and for responding to data subject access requests.