This page contains a Flash digital edition of a book.

Protect your data

Hirers need to be aware of forthcoming data protection regulations that carry stiff penalties for non-compliance, says Adam Bernstein.

A typical hire business will hold plenty of data, from employee and supplier records, to reams of private information on customers, such as addresses and payment details. Companies should understand their obligations for, not only is the regulator, the Information Commissioner (ICO), levying more fines, from next year the law is changing.

The risks from hacking are always understated until an incident occurs, with even worse implications if criminal activity is present. Take the case of a Berkshire-based video rental company: when its website was criminally hacked, the company still received a £60,000 fine in June 2017 because its security didn’t pass muster.

On 25 May 2018, the General Data Protection Regulation (GDPR) takes effect, representing the biggest shake-up in this area in over 20 years. Despite originating from Europe, not even Brexit will save a business from compliance. The ICO has made it clear that UK companies should prepare for GDPR. Liz Fitzsimons, a partner in the Privacy, Cyber and Information Team at Eversheds Sutherland (International) LLP, says the GDPR replaces the current Data Protection Act 1998 (DPA) and imposes much stricter obligations. A key change is a tougher enforcement. As she notes, “With regulators across the EU having the ability to fine businesses up to the higher of €20m, or 4% of annual global turnover, which may be calculated on group-level turnover, the penalties are not to be ignored.” Presently, the maximum fine is £500,000.

New obligations

She adds that there are new obligations for those that hold data. “Under the DPA, obligations fall on a data controller, such as a hirer deciding what personal data to collect and what to use it for. It does not affect service providers, such as a payroll provider, when handling personal data on behalf of the hirer. However, the GDPR changes this and imposes certain legal obligations directly on data processors.” She explains that this includes the possibility of fines and individual compensation claims from affected individuals. She advises data controllers to vet their data processors “to ensure they are capable of meeting the GDPR requirements, particularly in relation to security.”

Further, contracts with data processors must contain a detailed list of provisions to comply with GDPR. For many, real interaction with data protection legislation comes when there’s been a breach.


As Liz Fitzsimons notes, the GDPR creates a new legal requirement for the mandatory reporting of any personal data security breaches “if there is any risk to the rights and freedoms of individuals whose personal information is involved.”

This includes deletion of personal information. She points out that the requirement to notify must be made within 72 hours of knowledge of the breach - including weekends. So consider what Royal & Sun Alliance faced when it lost the personal information of 60,000 customers. Despite its work to make good the loss it still received a £150,000 fine from the ICO in January 2017.

The ICO website offers advice on the GDPR.

Another change relates to fair notice - the information contained within any privacy policy/notice explaining to employees, customers, suppliers and the like how their personal information is used. The information that must be provided prior to the data controller collecting and using such data has increased significantly. Liz Fitzsimons says, “Under the GDPR, not only must firms explain

why they use the personal details, but also the legal basis for such use - say to perform a credit check on a customer, or to comply with legal obligations such as employee PAYE. It’s important to need to know and explain whether the personal details will be transferred outside the EEA and on what legal basis.

“Under the DPA, use of personal data requires businesses to meet at least one lawful ground to do so - and they have often relied upon consent. The GDPR continues that requirement for a lawful basis of use, but makes it more important, as the legal basis selected must be explained to individuals. Consent cannot be implied.” In a hire context, the customer may be asked for identification before a credit check is run; their consent must be obtained before the detail is recorded and the check made.

Remember that individuals can withdraw their consent at any time. “However, it must be clear and unambiguous, freely given and informed. Consent also cannot be bundled with other matters (i.e. within an employment contract or a hire agreement) and records of consent must be kept,” says Liz Fitzsimons. It is also worth noting that, if consent obtained prior to the GDPR does not meet its requirements, it cannot be relied upon after 25 May. For more information visit

Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46  |  Page 47  |  Page 48  |  Page 49  |  Page 50  |  Page 51  |  Page 52  |  Page 53  |  Page 54  |  Page 55  |  Page 56  |  Page 57  |  Page 58  |  Page 59  |  Page 60