Unlike the Millennium bug, the introduction of General Data Protection Regulation (GDPR) was not a one hit wonder: ongoing compliance is a key requirement. The majority of organisations paid heed to the introduction of GDPR in May 2018, but many seem to be struggling to keep on top of their ongoing compliance obligations.
We are seeing a number of recurring themes/issues including:
Some organisations (mainly businesses) labouring under the illusion that GDPR does not apply to them
They may be exempt from the requirement for a controller to pay a fee to the Information Commissioner’s Office (ICO), or to have a Data Protection Officer (DPO) in place, but that doesn’t mean they’re exempt from the law; the ICO guidance makes it clear that organisations are still required to comply with their other obligations under GDPR.
Lack of, or use of incorrect, documentation with regards to the processing or sharing of personal data
Organisations often do not realise they should have written agreements in place with third party processors (eg. payroll service providers) that comply with GDPR’s requirements. Alternatively, some organisations that have recognised the need for an agreement may have too readily assumed the recipient of personal data is a processor rather than a controller, which requires a data sharing agreement rather than a data processing agreement.
These issues take us back to the importance of understanding the fundamentals of being a controller or a processor, and to recognise the parties’ respective roles, so that the correct documentation can be put in place to manage the flow of data between them.
Concerns around Brexit, and what businesses should do if there is a ‘no deal’ Brexit
The only certainty at the time of writing is that if there is a true “no deal” Brexit, the UK will be deemed to be a “third country”, and transfers to and from the UK may require additional documentation – for example, use of the EU-approved Standard Contractual Clauses.
Many organisations are choosing to sit things out for now, but once matters are finally settled, they must be prepared to act quickly to address data transfers.
Inadequate privacy / fair processing notices
Organisations may have uploaded a new privacy notice on their website but often they have neglected to consider:
• if that notice is appropriate
• if the website is the best place for it
• what other fair processing notices or other consents are required.
For example, have the pension trustees provided beneficiaries with a privacy notice, or have employers provided employees and prospective employees with an appropriate updated privacy notice? Typically, organisations will require two or more privacy notices, depending on how they are structured and their business operations.
Why so many issues given the high profile introduction and coverage? There is no doubt GDPR-compliance is costly in terms of financial and human resources, and finding the right people is difficult given a dearth of data protection professionals.
And what of those headline grabbing fines – at worst, the greater of €20,000,000 or 4% of global turnover? To date, fines have been nowhere near that level, though it would appear many European data protection agencies (DPAs) are just warming up: fines across Europe for data protection breaches total some €56m for GDPR breaches since May 2018, from more than 200,000 reported cases.
To give a flavour of the direction of travel, having never previously issued a fine, the Polish Data Protection Office imposed a €220,000 fine on a company in March this year for failing to provide data subjects with information about the processing of their personal data.
In the UK, Facebook and Equifax share the top spot for the highest fines. The £500,000 fines imposed sound like small beer under the new regime, but the offences were actually committed (and assessed) under the Data Protection 1998 - which capped fines at £500,000.
The ICO may be seeking to help businesses comply with enforcement notices or other specific guidance prior to a fine being issued, but going forwards we can expect to see more significant fines being imposed.
Of course, DPAs also have other sanctions available to them which can have a profound impact, such as requiring an organisation to temporarily or indefinitely suspend processing of personal data. The Maltese DPA exercised this sanction when it required the country’s national land register to temporarily suspend processing of personal data while the DPA investigated a data breach. Imagine how such a sanction may impact on data-reliant businesses.
The EU may have been the first to increase regulation of the collection and processing of personal data, but it will certainly not be the last. In our data-driven, internet connected world, many countries and states are looking to bolster laws relating to data subject rights, data breaches and accountability requirements with plans to increase regulation.
Given the need for continued compliance, the issues seen to date and the prospect of further regulation, there are plenty of organisations that still need some encouragement along the road to compliance – and to recognise that it’s a journey that’s unlikely to end.
Partner and head of the commercial team in the South East, John Yates has extensive experience of advising on all areas of commercial law and business matters, taking a particular interest in IT, IP rights, data protection and freedom of information issues. Contact John at firstname.lastname@example.org or call 03333 231580