It has now been one year since the General Data Protection Regulation (“GDPR”) hit the UK so as the Information Commissioner herself writes a blog about the last year (which can be found here) here is our review of where we are to date.
Whilst a year ago many businesses were in panic stations, the fear of the impact of the GDPR has certainly fizzled away. One of the greatest problems with the GPPR was and still is that its aim is to protect all personal data, however protecting personal data is a mammoth task considering that businesses deal with it every day. Personal data is so great and the type and purpose of dealing with it is different from company to company, office to office, team to team and person to person. How then can a one size fits all piece of legislation cover such varying situations.
Well the GDPR has certainly sought to, although many might say that it does come with some inevitable flaws. Lawyers, companies and specialist advisers have spent a vast amount of time interpreting how the legislation applies and how it can be practically implemented within businesses. Whilst many (us included) have prepared a suite of documentation that can help a business to comply with the requirements, the key and intention of the GDPR is to ensure that businesses from the outset (and from the top down) consider what data they are taking and seek to protect it in the best way possible. Dealing with personal data is a subjective task for each and every organisation.
The ICO have come up with a whole host of guidelines, crib sheets and easy to follow documentation on what businesses need to do and consider including helpful questionnaires to assess whether or not a breach needs to be reported to them. While the hype may have reduced, it is still a legal requirement to ensure compliance with the GDPR and come what may with Brexit, the rules will still apply if we leave with a withdrawal agreement or not.
Whilst some may be thinking that the GDPR was a scare tactic that never followed through, it is certainly worth noting that the ICO have issued over 900 notices of intent to fine businesses (fines of up to £4,350 which is for failure to pay the registration fee) and have issued advisory guidance to numerous organisations. In addition they have had around 14,000 breach complaints in the course of the last year and are investigating a number of organisations under the GDPR. To date the ICO have not fined under the GDPR (where they have the ability to fine up to the higher of 4% of annual global turnover or €20 million) but that is not because they do not intend to, they are still catching up and are still backdated fining under the old legislation! They have just issued their first enforcement notice against the HMRC under the new (or year old) legislation and there are a number of organisations under investigation. As things stand, we do not know how hard the ICO are planning to come down on those organisations.
In addition to the ICO having the ability to issue fines it is also worth noting that an individual who has had their personal data breached can make a civil claim for damages in the court. This can also have implications for employers who may be vicariously liable for those actions as is currently being considered in the Wm Morrison Supermarkets Plc v Various Claimants case which is being appealed to the supreme court.
One thing that has certainly increased over the last year is the demand from individuals for subject access requests. A business always needs to remember that anything that is written down is (in the majority of cases) subject to being viewed by the individual.
The Information Commissioner has indicated that the first year was about ensuring a baseline compliance and has said that the focus for the second year “must be beyond baseline compliance – organisations need to shift their focus to accountability with a real evidenced understanding of the risks to individuals in the way they process data and how those risks should be mitigated”. The ICO are therefore looking to see some real understanding from businesses as to the importance of personal data and systems and processes need to be incorporated into day to day practices to protect it.
With all this in mind we have a few top tips for businesses to keep on top of GDPR compliance:-
- Record what data you hold, what you do with it and why (data map).
- Consider whether you take sensitive personal data and ensure you put in place extra provisions to ensure the security of such.
- Make sure your staff are aware of data protection policies and their obligations.
- Never write anything about somebody you would not be happy for them to see.
- If you are liable to be registered with the ICO, register now and ensure you keep your payments up to date.
- Always consider whether you need to share data with third parties and make sure you have contractual provisions in place to protect that data.
- Build data protection into all of your processes.
- If you or someone in your organisation commits a breach, do not panic, check the ICO breach questionnaire or speak to a professional to see what action you need to take.
It only takes a complaint from one unhappy person to have the ICO involved so try and get on top of your compliance now.
If you have any questions about any of the above or would like to undertake a review of your data compliance please do not hesitate to get in touch with our specialist team.
For further information, please contact Jo O’Donovan, a Solicitor in the Commercial & Employment department, on 01626 202347 or joO’Donovan@wbw.co.uk. WBW Solicitors has offices in Newton Abbot, Exeter, Torquay, Paignton, Bovey Tracey, Launceston, Honiton, Exmouth and Sidmouth.
This article is for general information only and does not constitute legal or professional advice. Please note that the law may have changed since this article was published.