There is a lot of talk in the media about GDPR and how the changes in the rules will affect small businesses.
The most talked about change is probably the increase in fines that the ICO can issue for a breach of the rules. The existing maximum is £500,000 but from 25 May 2018, under GDPR, it will be a maximum of €20 million, or 4% of global turnover, whichever is higher.
Another major change that is likely to affect small businesses is the so-called right to erasure, also known as the right to be forgotten. This right enables an individual to request the deletion or removal of their personal data where there is no compelling reason for its continued processing. Having said that, please note it’s not an absolute right. Examples of when businesses can refuse such a request:
- To exercise the right of freedom of expression and information
- To comply with a legal obligation for the performance of a public interest task or exercise of official authority
- For public health purposes in the public interest
- The exercise or defence of legal claims.
The most common examples of when this right will apply are:
- Where the personal data is no longer necessary in relation to the purpose for which it was originally collected or processed
- When the individual withdraws consent
- When the individual objects to the processing and there is no overriding legitimate interest for continuing the processing
- The personal data was unlawfully processed (i.e. otherwise in breach of the GDPR)
- The personal data has to be erased in order to comply with a legal obligation
- The personal data is processed in relation to the offer of information society services to a child.
Also, if a business has disclosed the personal data to third parties, they must be informed about the erasure of the personal data, unless there are very good reasons why this is not possible.
Here’s the Information Commissioner’s guidance on the right to be forgotten (the right to erasure).
You're on our blog and updates site, which is hosted by elXtr, a leading digital hub powered by the award-winning lawyers at LHS Solicitors LLP, bringing you real law, made easy.
Find out more about elXtr here.
The data protection bill now seeks to give people the right to force the huge companies who dominate the internet to delete personal data. During the election campaign Theresa May mentioned plans to give people the right to request deletion of social media posts, and it looks like it’s now happening. Labour’s Tom Watson has stated he supports the changes proposed by Matt Hancock, the minister of state for digital and culture. “Labour’s manifesto committed to allowing young people to remove content shared on the internet before they turned 18,” he says.