Around this time last year, four letters that sent a shiver up most people’s spine were briefly more popular on google than Beyonce – GDPR. A year ago on 25 May, inboxes were full to the brim with emails requiring us to opt-in, consent and giving all manner of updates on policies.
The changes to privacy laws were heralded as the biggest shake-up in 20 years. One year on, what practical changes have been made? Have regulators been handing out multi-million pound fines? How have Northern Ireland businesses adapted?
The big headline prior to implementation of the GDPR was the significant increase in the fines Supervisory authorities could issue to data controllers - up to 20million euro or 4% of global annual turnover. While the ICO have yet to issue any fines pursuant to the GDPR (although recent communications suggest the first one could be imminent), several other European regulators have done so.
These fines have not been anywhere near the maximum fine permissable but have still been significant sums - the Polish DPA recently fined an organisation 220,000 euro for not giving data subjects sufficient information on how it was using their personal information; most businesses do this in their privacy statement.
The Portuguese authority fined a hospital 400,000euro following a breach of its security obligations. As many incidents under investigation across Europe will have occurred under the previous data protection regimes, it is clear that in the coming months, we will be seeing more and more “GDPR” fines being issued.
Another big issue anticipated by commentators, was the new mandatory breach reporting which, as expected, has led to a significant increase in the number of personal data breaches reported to the ICO. The ICO has been critical of organisations for 'over-reporting' or reporting before any significant assessment has been undertaken of the key aspect of the Article 33 test - what is the risk to data subjects of the personal data breach.
Recent statistics published by the ICO show that in the second quarter of 2018/2019, over 4,000 breaches were reported. With only 72 hours to report a breach, when required, from our experience, businesses who have had a clear response plan in place have been best equipped to identify the issue, seek support, assess the risk and make the notification. This is crucial as failing to report a breach, either at all or on time, is, of itself, a breach which can attract a fine; or certainly be an aggravating factor in any enforcement action the regulator might take.
In her recent speech at the 2019 Data Protection Practitioner's Conference, the UK Information Commissioner, Elizabeth Denham, highlighted her concern that businesses are falling short of meeting the GDPR's accountability requirements.
"Accountability encapsulates everything the GDPR is about," Denham said. "It enshrines in law an onus on companies to understand the risks that they create for others with their data processing, and to mitigate those risks. It formalises the move of our profession away from box ticking…and instead seeing data protection as something that is part of the cultural and business fabric of an organisation. And it reflects that people increasingly demand to be shown how their data is being used, and how it’s being looked after. But I’ll be honest, I don’t see that change in practice yet.…I don’t see it in the breaches reported to the ICO."
Accountability is a statutory requirement to be able to demonstrate how compliance is being achieved - think of it as the instructions given before a Mathematics exam; show your working-out! If you do get the wrong answer, you should get credit for showing your method.
As Ms Denham also pointed out, organisations are also reporting a significant uptake in data subject access requests, given the abolishment of the £10 fee and the ease of request (including use of email and social media). Data controllers continue to grapple with when a request can be refused on the grounds of disproportionate effort and when the timeline can be extended on the grounds of complexity – both of particular issues when dealing with data subject requests from employees given the huge amount of data which can be in scope of the request.
The perils of failing to appropriately apply the relevant exemptions and/or comply with the request are significant and data subjects are quick to complain to the ICO when they consider that an organisation is not complying with their data subject rights - in December the ICO reported that the number of complaints from the public had increased from 9,000 to 19,000 in a comparable six month period.
Whilst there was no transition period for the implementation of GDPR, it is fair to say regulators have been practical in their application that allowed organisations a period of cultural transition. However that approach will not last forever, so leadership teams are well advised to keep data and compliance high on their boardroom agenda. Finally, whilst GDPR has its roots in Europe, regardless of the Brexit outcome, the UK government has made it clear that the requirements within GDPR, will remain a feature for any organisation handling personal information.
For more info join Pinsent Masons webinar GDPR One Year On – Lessons Learned (4 June 12:00-12:30). Register via Heather.McFerran@pinsentmasons.com