GDPR and the Data Protection Act came into force in May 2018. There was some sense of foreboding as we built up to the introduction, there was no transition period just a new and extensive set of rules and regulations to replace and update the Data Protection Act 1998. The legislation is not a one off exhortation to get data protection issues sorted but a new set of rules that apply and will continue to apply, backed up with an enforcement regime in the form of the ICO. The legislation was introduced to cope with the significant developments in the way data can now be collected, used and transferred.
Many businesses started early but in my experience many left it to around Christmas 2017 to start to introduce new systems and educate employees to work towards compliance. If the 1998 Act was being followed then this was a solid platform in terms of the requirements of GDPR. A number of high profile data breaches have shown why the legislation should be an integral part of commercial life.
We have had many requests for advice on various parts of the new legislation. Here are just a few thoughts based on those requests:-
- Employee engagement can still be patchy, in many cases a data breach will be down to human error. Organisations should continue to prioritise data protection. The fines can be significant.
- There is an unnecessarily cautious approach in relation to reporting data breaches and this is reflected in comments by the ICO. The legislation sets out when a report should be made and not every breach should be reported to the ICO. There is clearly some misunderstanding here in relation to the legislation.
- Equally there may be under-recording in your own internal records. A data breach should be noted, even if it isn’t reported to the ICO. Organisations should maintain a data breach register.
- Data breaches are happening everyday around the country, one common example being emails incorrectly addressed. Again, this is about employee training and engagement. As an example, an email chain should not be forwarded unless it has been previously checked for the personal data of a third party. Good habits will take time.
- We should all treat the data of our clients and customers as we would expect our own data to be treated by organisations we hand it over to. Personal data is not just digital personal data but also paper copies and paper may be left lying around or carelessly discarded. This is basic stuff which the ICO wouldn’t be impressed with if there was a serious data breach.
- The Morrisons’ litigation has upped the stakes as far as Employers are concerned. It appears that Companies can be vicariously liable for a malicious data breach by an Employee. In the Morrisons case this prompted group litigation against the Company. There is no need in these cases to show a direct financial loss. Whilst group litigation is difficult to organise and bring under the new rules, there will be claims companies looking out for appropriate cases and who will monitor the ICO’s website in relation to data breaches.
- The ICO has good public engagement and publishes information on a regular basis including on its website and through blogs. You can sign up to receive its updates.
- The ICO is quite happy to go after public bodies as part of its role having recently issued an Enforcement Notice against the Metropolitan Police in relation to its Gang Matrix. This can be found on its website. It is an interesting example of the ICO working through the data protection principles and identifying breaches against these.
- The Data Subject Access Request Rules have changed and you should have procedures in place to deal with these. There is no requirement to make a request in a particular format so there should be some process in place to identify a request and for the appropriate people to deal with them. If the request is extensive you can extend the period for a response by up to a further 2 months under the Data Protection Act 2018. An employer who receives a confidential employment reference can refuse to disclose it, this is a change to the rule in the 1998 Act.
- There is probably an underuse of data sharing agreements where data is shared by a data controller. These agreements need not be complex in most cases but steps should be taken. Equally, privacy notices should be used and issued where appropriate, including to employees and potential recruits to a business. There should be a regular review of privacy notices. Particular care should be taken when you are processing sensitive or special category data such as medical records.
- There have been some fines under the old rules which would have been much more significant under the new legislation. Fines can now be up to €20,000,000 or 4% of global annual turnover. The Uber case was the subject of a ICO press release on 27 November 2018. This is an interesting read in terms of the approach that the ICO takes. Uber was fined £385,000 under the old rules but this would have been much higher if the breach had taken place after 25 May 2018. We shall watch with interest how the situation develops in relation to the Marriot Hotel breach where the records of 500 million customers have been compromised in a data breach.
- There may be some confusion as to whether an organisation needs a formal appointment of Data Protection Officer. If a DPO is appointed then there should be some degree of independence associated with the role. Your IT provider should not also provide DPO services.
- Organisations should look at the use of Data Protection Impact Assessments. The legislation sets out instances where these might be required including the introduction of new technology.
- Don’t forget your email and other electronic marketing is not only subject to GDPR but also the Privacy and Electronic Communications Regulations. These are due an update but the existing Regulations continue to apply.
Keep an eye on your data, your systems and your documents to ensure Employee engagement in 2019 and beyond. Data protection should be dealt with at a senior level and be a permanent feature on management agendas.