AROUND this time last year, four letters that sent a shiver up most people’s spine were briefly more popular on Google than Beyonce – GDPR. In-boxes were full to the brim with emails requiring us to opt-in, consent and giving all manner of updates on policies. The changes to privacy laws were heralded as the biggest shake-up in 20 years.
But one year on, what practical changes have been made? Have regulators been handing out multi-million pound fines? How have Northern Ireland businesses adapted?
The big headline prior to implementation of the GDPR was the significant increase in the fines Supervisory authorities could issue to data controllers - up to €20 million or 4 per cent of global annual turnover.
While the ICO have yet to issue any fines pursuant to the GDPR (although recent communications suggest the first one could be imminent), several other European regulators have done so. These fines have not been anywhere near the maximum fine permissable but have still been significant sums - the Polish DPA recently fined an organisation €220,000 for not giving data subjects sufficient information on how it was using their personal information; most businesses do this in their privacy statement. The Portuguese authority fined a hospital €400,000 following a breach of its security obligations.
As many incidents under investigation across Europe will have occurred under the previous data protection regimes, it is clear that in the coming months, we will be seeing more and more “GDPR” fines being issued.
Another big issue anticipated by commentators was the new mandatory breach reporting which, as expected, has led to a significant increase in the number of personal data breaches reported to the ICO. It has been critical of organisations for 'over-reporting' or reporting before any significant assessment has been undertaken of the key aspect of the Article 33 test - what is the risk to data subjects of the personal data breach.
Recent statistics published by the ICO show that in the second quarter of 2018/2019, over 4,000 breaches were reported. With only 72 hours to report a breach, when required, from our experience, businesses who have had a clear response plan in place have been best equipped to identify the issue, seek support, assess the risk and make the notification. This is crucial as failing to report a breach, either at all or on time, is, of itself, a breach which can attract a fine; or certainly be an aggravating factor in any enforcement action the regulator might take.
In her recent speech at the 2019 Data Protection Practitioner's Conference, the UK information commissioner Elizabeth Denham highlighted her concern that businesses are falling short of meeting the GDPR's accountability requirements.
She said: "Accountability encapsulates everything the GDPR is about. It enshrines in law an onus on companies to understand the risks that they create for others with their data processing, and to mitigate those risks. It formalises the move of our profession away from box ticking and instead seeing data protection as something that is part of the cultural and business fabric of an organisation. And it reflects that people increasingly demand to be shown how their data is being used, and how it’s being looked after. But I’ll be honest, I don’t see that change in practice yet. I don’t see it in the breaches reported to the ICO."
Accountability is a statutory requirement to be able to demonstrate how compliance is being achieved - think of it as the instructions given before a Mathematics exam; show your working-out! If you do get the wrong answer, you should get credit for showing your method.
As Ms Denham also pointed out, organisations are also reporting a significant uptake in data subject access requests, given the abolishment of the £10 fee and the ease of request (including use of email and social media). Data controllers continue to grapple with when a request can be refused on the grounds of disproportionate effort and when the timeline can be extended on the grounds of complexity – both of particular issues when dealing with data subject requests from employees given the huge amount of data which can be in scope of the request.
The perils of failing to appropriately apply the relevant exemptions and/or comply with the request are significant and data subjects are quick to complain to the ICO when they consider that an organisation is not complying with their data subject rights. In December the ICO reported that the number of complaints from the public had increased from 9,000 to 19,000 in a comparable six month period.
Whilst there was no transition period for the implementation of GDPR, regulators have been practical in their application that allowed organisations a period of cultural transition. But that approach will not last forever, so leadership teams are well advised to keep data and compliance high on their boardroom agenda.
:: Pinsent Masons is holding a webinar 'GDPR One Year On: Lessons Learned' on June 4 (noon to 12.30pm). Register via Heather.McFerran@pinsentmasons.com
:: Laura Gillespie is partner (litigation & regulatory) at Pinsent Masons in Belfast