When a customer of a Glasgow beauty salon asked to have all information held about her deleted following her appointment, the business knew it had to comply with her request under the new data protection laws. But it also knew that its insurance company required it to keep all medical information about clients for a minimum of six years.
“They asked me my opinion of what I thought they should do,” says Louise McKenna, a human resources consultant who had been advising the salon on its General Data Protection Regulation (GDPR) compliance for data on its own workers.
“The insurance company said their insurance would be invalid if they deleted the file – the customer could come back and take legal action if there was a problem and they wouldn’t be able to prove they had checked out her medical history. Yet the customer has the right to ask for her data to be deleted.”
The conundrum is one of many faced by companies grappling with the new GDPR regulations due to come into force this week.
Email inboxes across the UK are currently being inundated with company requests for users to opt-in to mailing lists and subscriptions. It is a move which many companies know will annoy – and potentially alienate – their customers.
“We’re sorry,” apologised one which popped into my inbox from a restaurant booking website last week. “It’s another of those data emails…”
The new rules, which will apply from Friday, require companies, charities and other organisations to get permission from people on their databases to opt-in to mailing lists. They will have to justify how, why and for how long they hold data on not only customers, but their own employees – and former staff.
In addition, the length of time a firm now has to give people access to the data they hold on them, if requested, will be reduced from 40 to 30 days. Meanwhile, while in some instances firms are currently allowed to charge for data access requests, they will no longer be able to do so, meaning the cost burden will fall on the company.
McKenna, who runs Glasgow-based Simple HR, has had to advise the 30-plus companies she works with on what they should do with data held on more than 1,000 staff. It has not been easy. She has carried out an audit on every company and checked hundreds of employee information files. “We try to use best practice and advise our clients to do the same, but some of them have had businesses for 30 years,” she says. “You would hope that they would clear out old files on people who no longer work there, but some might not have done.”
Although introduced as part of European Union law, the regulations will still apply after Brexit, transferring into UK law as part of the EU Withdrawal Bill, along with legislation on various things from workers’ rights to food safety.
It is not surprising that data laws needed to be updated. The current Data Protection Law is 20 years old – formed at a time when not all businesses even used email, while the internet was still in its relative infancy. It did not include cloud storage, Big Data or SMS.
Now, every company holds enormous amounts of data on its customers: names, addresses, dates of birth, photographs, bank details etc.
Most, but not all, is held electronically – a big shift from 20 years ago. While some data protection laws already apply, others do not.
In recent months, how firms hold people’s data has become a hot topic. News earlier this year of the leaking of personal information held by Facebook to political consulting firm Cambridge Analytica caused a furore, while various banks, retailers and other institutions have been left red-faced after failing to keep their customers’ information safe – as recently as last month, when some TSB customers reported being able to access other users’ accounts during an IT upgrade.
While GDPR will not guarantee that data will not be breached, it does mean that companies will no longer be allowed to hold on to data they do not need, making it less likely that a person’s personal information is hanging around unnecessarily on a database.
Sally-Anne Anderson, employment law partner at legal firm Aberdein Considine in Edinburgh, says she is telling her clients to be prepared – but not to panic.
“GDPR is about not holding information that you don’t need,” she explains. “Where you run into problems is if you have information you did not ever need to have, or if you have had it for too long so it is no longer relevant. But what is worrying for small businesses is that there is no staged introduction of GDPR, on the face of it – from 25 May, this is it.”
The Information Commissioner’s Office (ICO), which will be responsible for the implementation of the legislation, is taking on around 200 extra staff over the next two years to prepare for the changes.
“One of the major changes is that businesses have previously taken the attitude that the onus is on the data subject to prove that they are not complying,” says Anderson. “Under GDPR, it will be the other way around. The burden of proof is now on the company to prove compliance.
“What I am telling them, however, is that the ICO is likely to look more favourably on a company which is trying to comply, which is doing something, rather than those which are doing nothing.”
Companies which fall foul of the new rules could be charged fines of up to €20 million (£17.5m) or four per cent of the company’s global annual turnover – whichever is greater – a huge figure compared with the current Data Protection Act, which commands penalties of up to £500,000. In short, businesses cannot afford to get it wrong. An analysis carried out last year by the NCC Group of ICO fines under the existing laws found that the penalties charged in 2016 would have been 79 times higher under GDPR.
“The General Data Protection Regulation brings the law bang up to date,” says a spokeswoman for the ICO. “It is the biggest change to data protection in a generation and gives us all back control of our own information.
“Any organisation that processes personal information – be it a multi-national bank, a high street hair salon or a local authority – will have a legal obligation to treat that information fairly and transparently. They must be able to account for what they do; how and why they do it.”
Yet, while big firms have entire teams dedicated to ensuring they are compliant with GDPR – Royal Bank of Scotland began a “bank-wide” programme to prepare for the changes over two years ago – small businesses, including 360,000 SMEs north of the Border, have been left with the burden of dealing with it with far more meagre resources.
“Small businesses can’t afford to bring in teams of legal experts,” says Alan Soady, spokesman for the Federation of Small Businesses. “There are a lot of myths floating around about GDPR. Not intentionally, but there has been a lack of clarity and support, so small businesses have picked up a lot, not all of it necessarily correct, via word of mouth.”
A survey carried out by the organisation in February found that 18 per cent of small business owners had not heard of GDPR or know what it is, while just eight per cent said they had completed their preparations. Meanwhile, a separate study published by the UK Government in January found the same applied to half of all charities.
“We would hope that number is smaller now, as that was a few months ago now,” says Soady. “We would hope that proportion would have gone down over that time, but there will still be some who are not ready.”
He says that how GDPR will play out will only become clear when specific cases are brought before the courts – such as the beauty salon’s data deletion conundrum.
“That is the sort of thing where if they kept the records and then the person complained, it would end up being for a court to interpret the law and see which would take precedence,” he says. “It will only be when cases are tested that we will have clarity. There is a lot about this that we are still to discover.
“The law talks about ‘legitimate interest’, but what one person considers to be legitimate, another may not.”
Some businesses have asked everyone on their mailing lists to click a button saying they are happy to opt in to future mailings. Others, however, are sending emails simply informing people that they are on a list and to let them know if they want to be removed. Companies which are happy that they have asked for the correct permissions in the past do not necessarily have to change anything with the introduction of GDPR.
“A lot of businesses are erring on the side of caution at the moment,” explains Soady. “Not only because they want to ensure they are compliant, but because they want customers to be confident that they are handling their data properly. In some cases, people might have already opted in fairly recently and companies are happy that their data protection handling is compliant with GDPR. Others may not.”
Rachel Aldighieri, managing director at the DMA, the trade association for the direct marketing industry, says that firms can use the regulations as an opportunity. “The new laws offer an opportunity for organisations to put the consumer front and centre of their company’s culture,” she says.
Charities are also being hard hit by GDPR compliance requirements. How not-for-profit organisations hold data – and what they do with it – has become a bone of contention for many.
The tragic death of pensioner Olive Cook in 2015 raised the issue of claims that the fervent charity supporter had been plagued by direct marketing and phone calls from other charities who had bought her data, although she had never contacted them. Meanwhile, last April, a total of 13 charities were fined following an investigation by the ICO. The watchdog found that many of the charities – including the Guide Dogs for the Blind Association and Cancer Research UK – secretly screened millions of donors so they could target them for additional funds. Some charities also traced and targeted new or lapsed donors by piecing together personal information obtained from other sources, while others traded personal details with other charities, creating a large pool of donor data for sale.
“The big charities were investigated by the ICO for doing things with data,” says David McNeill, digital director of charity membership body, the Scottish Council for Voluntary Organisations (SCVO). “Essentially, if you wouldn’t be happy to tell people quite clearly what you were doing with their data, then you should not be doing it.”
Lifeboat charity the RNLI took a different tack. It decided to use the opportunity to start its contacts list from scratch. What it decided to do was adopt an “opt-in-only” system where individuals have to choose to be contacted, rather than an “opt-out” system where supporters are automatically added to a list on a database unless they expressly opt out.
When it first announced the plans, in October 2015, well before GDPR was on the cards, it said the decision – believed to be the first in the UK charity sector – would potentially cost it £35.6m worth of lost income over a five-year period. “The RNLI decided to effectively start again by contacting all of their donors and supporters and asking them to opt in,” explains McNeill. “It is not a bad idea.”
Joanna Boag-Thomson, head of data protection at law firm Shepherd and Wedderburn in Glasgow, agrees.
“It is a chance for organisations to get their house in order,” she says. “If you are a business, you need to think how you would want your data to be treated if you were a customer. If you have your customer hat on, you will tend to behave in a compliant way.”
However, she says her firm has already seen an increase in the number of people asking to see the personal data firms hold on them – known as a subject access request.
“This has been possible under the previous regulations, but as GDPR comes closer, more people are hearing about it, finding out that it is possible and are making these requests,” she says. But she has good news for the Glasgow beauty salon, which she says is within its rights to keep data on a customer if there is a legal need for it to do so – even if the client has requested that it be deleted.
“People think their rights are not subject to any controls, but they are,” she says. “But businesses will have to deal with people making these requests as GDPR comes to the fore. If a request is not upheld, even if it is right for the business to do so, people will argue it. I think companies’ complaints departments will have a lot of work to do.”