In May 2018 the EU’s General Data Protection Regulation (GDPR) is due to come into force and some security experts are warning that this could bring with it the possibility of litigation from multiple sources for UK companies.
Some security experts believe that as soon as GDPR comes into force companies will face a large number of access, portability and right to be forgotten requests. When the Freedom of information Act (FOIA) came into force in the UK in January 2005 for example there were over a million information requests in the UK.
It may be reasonable therefore to assume that GDPR could prompt a larger number of requests on its introduction. These requests could come from privacy advocates, consumers and members of the media. If companies are not fully prepared for GDPR and fail to respond quickly enough or in a satisfactory way, these people could complain to the regulator.
Profiling could also be one of the areas that could attract litigation. Profiling as described in GDPR is “any form of automated processing of personal data consisting of using those data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.”
One of the dangers of this aspect of GDPR from a business point of view is that it is clearly complex and could therefore leave a company open to lawsuits if the subject is not fully addressed prior to the introduction of GDPR.
No Idea What To Do?
A recent survey by PwC for example showed that 98% of organisations have no idea what they are going to do to ensure they are GDPR compliant.
The Legal Profession Gearing Up
Some security commentators have also pointed out that the legal profession is already preparing itself for the introduction of GDPR in terms of how to build a market for litigation as well as ensuring that they fully understand the many different aspects of the Regulation and its implications.
What Does This Mean For Your Business?
In short, preparation is the key to protecting your business. Your organisation, right from the boardroom down should be fully aware of what GDPR means, and how your business practices and data security will need to be changed to ensure compliance.
Ensuring that your company’s profiling activities are not likely to leave you open to ‘data subject consent’ problems will be important. Profiling activities each need to be the subject of your own mini privacy impact assessment (PIA) to make sure that they fall under GDPR. If they don’t and can’t be modified, then there is an argument that they are not essential to the business.
Fewer profiling processes can mean that your company’s risk is easier to understand. Profiling should also be clearly described in your privacy notices.
Other preparations that your business could make to avoid litigation over GDPR include amending contracts or building consent mechanisms, and putting technologies and processes in place for dealing with objections to profiling and for responding to data subject access requests.