Unlike the Millennium bug, the introduction of General Data Protection Regulation (GDPR) was not a one hit wonder: ongoing compliance is a key requirement. The majority of organisations did pay heed to the introduction of GDPR on 25 May 2018, but many seem to be struggling to keep on top of their ongoing compliance obligations.
We are seeing a number of recurring themes/issues including:
Some organisations (mainly businesses) labouring under the illusion that GDPR does not apply to them
These organisations may be exempt from the requirement for a controller to pay a fee to the Information Commissioner’s Office (ICO
), or the requirement to have a Data Protection Officer (DPO
) in place, but that doesn’t mean they are exempt from the law; the ICO makes clear in its guidance that being a fee-exempt organisation or not needing to appoint a DPO does not remove the need for an organisation to comply with its other obligations under GDPR.
Lack of, or use of incorrect, documentation with regards to the processing or sharing of personal data
Organisations often do not realise they should have written agreements in place with their third party processors (eg. with payroll service providers) that comply with GDPR’s requirements. Alternatively, some organisations that have recognised the need for an agreement may have too readily assumed the recipient of personal data is a processor rather than a controller; in such circumstances, there should be a data sharing
agreement in place rather than a data processing
These issues take us back to the importance of understanding the fundamentals of being a controller or a processor, and to readily recognise the parties’ respective roles, so that the correct documentation can be put in place to manage the flow of data between them.
Concerns around Brexit, and what businesses should do if there is a “no deal” Brexit
The only certainty, currently, is that if there is a true “no deal” Brexit, the UK will be deemed to be a “third country”, and transfers to and from the UK may require additional documentation – for example, use of the EU-approved Standard Contractual Clauses.
Given the lack of certainty, many organisations are choosing to sit things out; once matters are finally settled, those organisations must be prepared to act quickly to address data transfers.
Inadequate privacy / fair processing notices
Organisations may have uploaded a new privacy notice on their website but often they have neglected to consider:
- if that notice is appropriate
- if the website is best place for it
- what other fair processing notices or other consents are required.
For example, have the pension trustees provided beneficiaries with a privacy notice, or have employers provided employees and prospective employees with an appropriate updated privacy notice?
Typically, organisations will require two or more privacy notices, depending on how they are structured and their business operations.
Costs of compliance
Why so many issues given the high profile introduction and coverage? One significant factor is undoubtedly lack of resource, both financial and human. There is no doubt GDPR-compliance is costly, and finding the right people is difficult given a dearth of data protection professionals.
Headline grabbing fines
And what of those headline grabbing fines – at worst, the greater of €20,000,000 or 4% of global turnover?
To date, we have not seen fines anywhere near that level, though it would appear many European data protection agencies (DPAs) are just warming up. Fines across Europe for data protection breaches total some €56m for GDPR breaches since May 2018, from more than 200,000 reported cases.
To give you a flavour as to the direction of travel, having never previously issued a fine, the Polish Data Protection Office imposed a €220,000 fine on a Polish company in March this year for failing to provide data subjects with information about the processing of their personal data.
In the UK, Facebook and Equifax share the top spot for the highest fines. The £500,000 fines imposed sound like relatively small beer under the new regime, but bear in mind that the offences had been committed (and assessed) under the Data Protection 1998, which capped fines at £500,000.
The ICO has stated that it is seeking to help businesses comply and therefore enforcement notices or other specific guidance may be offered prior to a fine being issued. Going forwards we can expect to see more significant fines being imposed.
Of course, DPAs also have other sanctions available to them which can have a profound impact. They can, for example, require an organisation to temporarily or indefinitely suspend processing of personal data. The Maltese DPA exercised this sanction when it required the country’s national land register to temporarily suspend processing of personal data while the DPA investigated a data breach. Imagine how such a sanction may impact on data-reliant business.
The EU may have been the first to increase regulation of the collection and processing personal data, but it will certainly not be the last. In our data-driven and (internet) connected world, many countries and states are looking to bolster laws relating to data subject rights, data breaches and accountability requirements. Some examples? India, South Korea, Brazil, Israel and California to name but just five are all looking at increased regulation.
Given the need for continued compliance, the issues seen to date and the prospect of further regulation, it’s never too late to engage with our Data Protection lawyers and find out how they can help you on the journey to compliance.