The General Data Protection Regulations (GDPR) came into force in May 2018, and eight months on the implementation of the law has been staggering.
From a business perspective, the changes made to existing – or in some cases non-existing – data protection policies and procedures were significant.
The media has given this topic a lot of attention over the last eight months which has helped raise awareness among individuals, giving them more power to control how their data is used and to hold businesses to account for their actions. Whilst the spirit of the regulations is clear, the work involved for businesses and the means by which this tool could be used is causing many concerns and, in some cases, a detriment.
The media has reported that there was a significant increase in data breach notification to the Information Commissioner’s Office (ICO), the UK’s data protection regulator, since the law came into force. This is not a surprise given that individuals, some from a consumer point of view, are more aware of their rights and holding business to account.
— ICO (@ICOnews) May 13, 2017
There appears to be a simple explanation for this. Days where companies which collected and processed large amounts of customer data were being subject to more leaks and cyber-attacks. This, in turn, was harming their customers because their data was being taken and used by criminals for fraud often causing financial harm and distress to those whose leaked data was being abused.
Other examples include companies tasking customer data and passing this on to third parties. Often the customer would not have consented to this. This manifested in cold callers continuously calling individuals about services or products they were not interested in. Just think about the number of calls the average consumer receives about PPI or accident claims. Did they actually recall providing their personal details to the company who is making the call? Most likely not. So then ask this question, how did they obtain my data?
As a firm of solicitors, we have experienced individuals challenging businesses regarding their data; we have had client’s former employees using business data in breach of GDPR, placing our client in potential breach; we have seen confusion over opting in and out; misunderstanding on what data you are permitted to hold and share; service providers contracts are out of date and the sale of data and companies flagrantly breaches the spirit of the GDPR.
Be prepared and be ready
Leading up to the introduction of GDPR, there was a simple message: Get ready for the changes by 25 May 2018 or face the prospect of heavy penalties! However, we have not seen a volume of UK court cases or ICO public enforcement notices as expected.
The UK regulators have gone into Canada’s Aggregate IQ and given them the first GDPR enforcement notice, giving the company 30 days to comply with data regulations or face a fine of up to €20 million. This is currently going to appeal. However, everything else seems very quiet and calm… Could there be a storm looming?
The ICO are suffering from extreme over-notification of data breaches. In September 2018, the Deputy Information Commissioner remarked:
“Some controllers are ‘over-reporting’: reporting a breach just to be transparent, because they want to manage their perceived risk or because they think that everything needs to be reported…”
What should businesses be doing?
Businesses should continue to be GDPR compliant as we suspect change will come and come fast as many lawyers for potential claimants are gearing up for UK Court action. Individuals will be aware of the “Morrisons Appeal” has been upheld and claimants are reporting breaches daily.
Businesses need to have their processes and policies in place, systems checked and monitored and a record available for any breaches should they need inspection, so they can demonstrate compliance.
The Ticketmaster breach is clearly grounds of why data security is as important as to why our data is retained, for what purpose and for how long. This breach affected customers buying tickets between September 2017 and 23 June 2018, so spanning over two data protection acts; the Data Protection Act (DPA) 1998, and the Data Protection Act (DPA) 2018 – the latter being the UK’s version of the EU’s General Data Protection Regulation (GDPR). Which will prevail is currently under review, but there are numerous breaches, including:
- Unauthorised access
- Failure to put in place robust technical measures to protect data
- Not having adequate internal policies, procedures and internal organisation
- Possibly failing to report a breach within sufficient time
It will be a case to watch as to whether the ICO support change or penalise for this breach.
Recently we have seen reports that ‘British Airways’ suffered a data breach and Marriot Hotels also. In line with their reporting requirements, they were reported to the ICO. The ICO has confirmed they are also investigating the ‘Marriot Hotel’ data breach.
Furthermore, the first number of organisations have been fined for not renewing their fees with the ICO. It is reported that many more fines are to follows. According to the ICO website, “more than 900 notices of intent to fine have been issued by the ICO since September and more than 100 penalty notices are being issued in this first round.”
Businesses should be aware that they will be breaking the law if they do not pay their fees to the ICO. These fees are payable by any business which collects and processes personal data.
Action being taken by the ICO is ultimately good for the individual for two reasons. Firstly, businesses are concerned they will be faced with severe penalties by the Regulator if they fall foul of the regulations and secondly, businesses want to maintain customer confidence by being compliant and committed to the safeguards they must implement. Both go hand in hand and thus it will allow for better protection of individual’s data.
The GDPR has allowed data protection laws across the EU to become more harmonised and keep up with the new changes businesses have implemented in collecting personal data. This has also seen several regulators across Europe deal with an increase in the number of complaints received by individuals.
What have the last eight months taught us?
We have seen more businesses strive to implement real change in the way they collect data and handle it. Some of the work which we have undertaken for businesses have been reviewing and drafting customer and staff policies; web policies; amending staff handbooks and contracts; auditing their third-party contracts; general assistance with their processes; and internal training. These are some of the things which other businesses can take note of and really think about when considering their own processes.
If anything can be taken from all of this, it is that data protection is fast becoming an area where more “breach cases” will arise. Businesses must continue to actively remain GDPR compliant by reforming and improving their processes and policies if they are to protect themselves from litigation and/or action being taken against them by the ICO.
Karen Holden is an award-winning lawyer and founder of A City Law Firm
Read more about GDPR
Sign up to our newsletter to get the latest from Business Advice.