With new General Data Protection Regulation (GDPR) coming into force in May, we look at how farm businesses need to prepare.
Changes in data protection rules could cost farmers millions if they do not comply with new regulations coming into effect on May 25.
The EU’s new GDPR means farmers will have to keep personal data secure and up-to-date, and will also have to demonstrate compliance and delete files if requested, warned Jeremy Moody, secretary of the Central Association of Agricultural Valuers.
And leaving the European Union does not get British farmers out of complying with the rules.
The consequences of non-compliance could be huge, with businesses able to be charged up to £17.5 million, or 4 per cent of global turnover, whichever is greater, for serious breaches.
John Smith, solicitor at Burges Salmon said it needed to be ongoing day-to-day compliance with training for relevant staff and audits.
Breaches needed to be reported to the Information Commissioners Office (ICO) with serious breaches needing to be reported with 72 hours. This can include losing a laptop or a memory stick which contains personal information.
With more resources to clamp down on breaches, the ICO will be able to walk into an office unannounced and temporarily ban firms from holding personal information.
Mr Smith said: “On top of this, if an individual suffers losses as a result of a breach, there is no cap on the compensation they can claim.”
Employees also have a right to request to see all the personal data held on them within 30 days and employers can no longer charge a fee for this. They can also demand the data is erased.
Being able to demonstrate compliance was a key principle, with an organisation needing to show justification as to why they store data.
This can be contained in a simple file note, according to David Laing from digital consultancy firm My Future Cloud.
He said: “Any organisation, including farmers, can store personal data as long as they have a justification for collecting and handling it.”
Consent was one justification, but could be onerous to obtain and maintain, and Mr Smith warned the legal definition of consent has been changed under GDPR.
He said: “Employers will now have to rely on contractual necessity to hold data, such as holding bank details in order to pay them, or National Insurance Numbers to comply with HMRC.”
Employers were also responsible for any breaches which occur with third-party companies.
Securing data was a key part of GDPR, although it was left to the business to determine what security it used.
The more valuable, confidential and sensitive the personal data, the greater the level of security which should be imposed.
David Laing, of My Future Cloud, suggested businesses should consider:
More tips are available on the ICO website
Farms which have diversified may have more data to consider with farm shops and other secondary businesses potentially serving thousands of customers, according to Ian Burrow, head of agriculture and renewable energy at NatWest.
He said: “If you have a marketing database, you must make sure you contact every one of them to confirm they are happy for you to store their data, and keep a record of when and how they gave you the permission, even if it is not your core business.
“Key to the legislation is consumers will have a ‘right to be forgotten’, meaning if they ask for their data to be deleted and there are no legitimate reasons not to, it must be destroyed.”
Businesses also have to give those customers a simple, straightforward way to withdraw consent.
About 60 million people in the UK have personal data stored by organisations and cybercrime cost Britons £1 billion last year due to data security breaches.