Data protection pitfalls could cost farmers dearly, warns CAAV

New data protection rules could potentially cost farmers millions of pounds in fines if they do not comply, the Central Association of Agricultural Valuers (CAAV) has warned.

The new rules come into effect on May 25 under the EU’s General Data Protection Regulations (GDPR) and apply to any business that holds data on an individual – and that includes farmers, said Jeremy Moody, secretary and adviser at the CAAV.

Farmers will have to keep personal data – for example on employees – secure and up to date, and will also have to demonstrate compliance and delete files if requested.

What’s it got to do with farming?

The most common area affecting farmers will be the holding of staff and contractor information. Computer records should be password protected, as should any information kept on your phone or tablet.

Consider the risks of losing your phone or address book, and whether there’s any sensitive information which should be protected.

If you use an external payroll provider, ensure any shared information is encrypted and that they also comply with GDPR. The same is true for landlords with tenants and external land agents, for example.

Passing on contact details may seem reasonable, especially if there is a legitimate interest for both parties – but, be aware that some people may not want their information shared.

Employee records

Currently, employees have a right to request to see all the personal data held on them by an employer – this remains the case, but an employer can no longer charge a fee for this and must comply within 30 days, explains Smith.

Employees can also demand that their data is erased simply by removing consent for their data to be held.

Diversified businesses

Those involved with buying and selling livestock or machinery will need to keep all the data stored securely – and be careful what you use that information for.

Buyers may be happy for you to hold their bank details, but not for you to send them an auction catalogue or sales advert, for example.

Marketing material could be a major pitfall for farmers with diversified enterprises. Recipients must have agreed to receive your marketing material, and they must actively opt in, not out.

A common error is copying people into a mass email – make sure the email addresses are blind copied so that the recipients cannot see everyone else’s email address.

It could be worth sending an email asking them to opt in to receive future circulars – and be clear what you’re going to use their data for: is it restricted to one enterprise or could it be used to inform them about future new initiatives?

In the main, it’s all about being more aware of the data you hold and use. Don’t be careless with it, and password-protect anything which might be potentially sensitive.

Breaches

The good news is that the ICO is currently encouraging compliance, rather than penalising businesses. However, the consequences of getting data protection wrong can be enormous, explains John Smith, solicitor at Burges Salmon.

“For serious breaches in data protection, businesses can be charged up to €20 million (£17.5 million) or 4% of annual global turnover (whichever is greater).”

The new rules add to the existing Data Protection Act, with four key areas employers should be aware of:
  • Accountability;
  • Self-reporting;
  • Enhanced rights;
  • Consent.

“Your business will need policies and procedures in place to demonstrate compliance with GDPR,” said Smith.

“This needs to be on-going, day-to-day compliance, with training for relevant staff, and audits on what data you hold and where you’re keeping it.”

If a company breaches data protection rules, it is required to report the breach to the Information Commissioners Office (ICO).

“For serious breaches you have to report within 72 hours and keep a record.”

A breach could include the loss of a laptop or memory stick containing personal information – and with more resources to clamp down on breaches, the ICO will be able to walk into an office unannounced and temporarily ban firms from holding personal information.

“On top of this, if an individual suffers losses as a result of a breach, there is no cap on the compensation they can claim.”