GDPR and the Trade Unions: will this inspire a wave of protest?
The UK Data Protection Act has been around long enough. Customers and employees already have the right to request that organisations reveal what information is held about them. Typically, a customer/employee (which we’ll refer to as a “Data Subject” in this article) will contact the organisation’s Data Protection Officer (DPO) and along with the request, enclose a cheque for £10; however, the cheque is rarely cashed because the process to raise an internal order for larger organisations costs more than they stand to gain.
Picture a Data Subject aggrieved with an organisation, who is either looking for an aid to litigation or simply being a nuisance to protest how they have been treated. Sifting through millions of unorganised paper and digital records would consume a substantial amount of the organisation’s time. We only have to look at a Freedom of Information request submitted to the Home Office to see that the longest time to respond to a subject access request was 549 days. (Source: www.whatdotheyknow.com Accurate as of 31st August 2017). Unofficially, I have heard of organisations paying Data Subjects up to €5,000 to drop and compensate them for their access request. Wow.
Let’s take this up a notch and consider the Trade Unions and the “mass walkout” protests organised by the TUC, Unite and UNISON. What if the workforce employed a new protest strategy and, rather than walking out, instead continued to work while swamping the employer with mass Data Subject access requests? If it takes an organisation even one percent of the 549 days it took the Home Office to respond, that amounts to five days per employee. Multiply this by 1,000 employees “protesting” and all submitting a Data Subject request at the same time; the organisation could be faced with up to 5,000 days of work to resource somehow. Or offer compensation to employees (via the Union) to drop the requests.
Ironically though, organisations could counter the unions and retaliate in the same manner, so unless the unions are confident they have their data in order and easy to access then this new form of protest is unlikely to happen in the short term.
Under the current Data Protection Act, organisations have 40 days to respond to a request; still a problem if 1,000 Data Subject access requests come in at once, but failure to comply brings a maximum potential fine of £500,000. Painful, but it could be far greater under the new General Data Protection Regulation (GDPR), which is essentially the Data Protection Act on steroids. It is currently law but only enforceable from 25th May 2018. Under the GDPR, organisations have only one month to respond to Data Subject access requests and failure to comply could see a fine of up to 4% of global annual turnover or €20million, whichever is greater – that is a potential 4000% increase in the fine.
Winterhawk has partnered with British multinational insurance firm RSA and financial advisors Lansdowne Woodward to bring a market first – Cyber Risks & GDPR Insurance. Winterhawk also provides a range of GDPR services, readiness assessments and a GDPR Starter Kit to help get organisations up and running to tackle the compliance activities required of them.