New data protection rules could potentially cost farmers millions of pounds in fines if they do not comply, the Central Association of Agricultural Valuers (CAAV) has warned.
The new rules, which come into effect on 25 May 2018 under the EU’s General Data Protection Regulations (GDPR), apply to any business that holds data on an individual – and that includes farmers, said Jeremy Moody, secretary and adviser at the CAAV. Farmers will have to keep personal data – for example on employees – secure and up to date, and will also have to demonstrate compliance and delete files if requested.
The consequences of getting data protection wrong can be enormous, said John Smith, solicitor at Burges Salmon. “For serious breaches in data protection, businesses can be charged up to €20m (£17.5m) or 4% of annual global turnover (whichever is greater).”
The new rules add to the existing Data Protection Act, with four key areas employers should be aware of: Accountability, self-reporting, enhanced rights, and consent.
“Your business will need policies and procedures in place to demonstrate compliance with GDPR,” said Smith. “This needs to be on-going, day-to-day compliance, with training for relevant staff, and audits on what data you hold and where you’re keeping it.”
If a company breaches data protection rules it is required to report the breach to the Information Commissioners Office (ICO). “For serious breaches you have to report within 72 hours and keep a record.” This can include the loss of a laptop or memory stick containing personal information – and with more resources to clamp down on breaches the ICO will be able to walk into an office unannounced and temporarily ban firms from holding personal information. “On top of this, if an individual suffers losses as a result of a breach, there is no cap on the compensation they can claim.”
Currently, employees have a right to request to see all the personal data held on them by an employer – this remains the case but an employer can no longer charge a fee for this and must comply within 30 days, said Smith. Employees can also demand that their data is erased simply by removing consent for their data to be held.
Under the Data Protection Act, employers are required to have valid and justifiable reasons to hold data relating to an individual, so in the case of employees, they often rely on a consent clause in employee contracts, said Smith. However, the legal definition of consent under GDPR has been changed. “The bar has been raised high and it is no longer safe for employers to rely on this,” he explains. “Employers will now have to rely on contractual necessity to hold data, such as holding bank details in order to pay them, or National Insurance Numbers to comply with HMRC.”
On top of this, employers are responsible for any breaches that occur with a third-party company which is contracted to do work using personal information, such as payroll. “Farmers should review these contracts and add a GDPR clause saying the third party agree to comply, and if they don’t they can indemnify you.”
With so many changes, it’s vital to conduct an internal audit and make sure your house is in order, suggests Mr Smith. “The ICO has launched a telephone line to guide small businesses through the process but GDPR is imposing an onerous obligation on employers.”
So far the ICO is encouraging compliance, rather than penalising businesses, but this could change after GDPR comes into force, said Moody. “Although the rules sound complex and onerous, there are some simple steps that farmers can take to ensure compliance and there’s plenty of help out there.”