Six months on, how is your GDPR journey so far?

An article published in the Independent on 28 August 2018 reported that data breach complaints had increased by 160% since the General Data Protection Regulations (GDPR) came into force. This staggering statistic does not come as surprise, given the amount of media attention and government campaigns there were for GDPR.

The media attention has raised awareness among individuals, giving them more power to control how their data is used and to hold businesses to account for their actions. Whilst the spirit of the regulations is clear, the work involved for businesses and the means by which this tool could be used is causing many concerns and, in some cases, a detriment.

As a firm of solicitors, we have experienced our client’s ex-employees challenging them regarding their data; we have had client’s former employees using business data in breach of GDPR, placing our client in potential breach; we have seen confusion over opting in and out; misunderstanding on what data you are permitted to hold and share; service providers contracts are out of date and the sale of data and companies flagrantly breaches the spirit.

Be prepared and be ready

Leading up to the introduction of GDPR, there was a simple message: get ready for the changes by 25 May 2018 or face the prospect of heavy penalties! However, we have not seen a volume of UK court cases or ICO public enforcement notices.

The UK regulators have gone into Canada’s Aggregate IQ and given them the first GDPR enforcement notice, giving the company 30 days to comply with data regulations or face a fine of up to €20 million. This is currently going to appeal. However, everything else seems very quiet and calm… Could there be a storm looming?

We also understand the ICO are suffering from extreme over-notification of data breaches. In September 2018, the Deputy Information Commissioner remarked: “Some controllers are ‘over-reporting’: reporting a breach just to be transparent, because they want to manage their perceived risk or because they think that everything needs to be reported…”.

Should you still plan ahead?

Being prepared and GDPR complaint is still advisable as we suspect change will come and come fast as many lawyers for potential claimants are gearing up for UK Court action. The Morrisons Appeal has been upheld and Claimants are reporting breaches daily. You need to have your processes and policies in place, systems checked and monitored and a record available for any breaches should they need inspection, so you can show your efforts to comply.

The Ticketmaster breach is clearly grounds of why data security is as important as to why our data is retained, for what purpose and for how long. This breach affected customers buying tickets between September 2017 and 23 June 2018, so spanning over two data protection acts; the Data Protection Act (DPA) 1998, and the Data Protection Act (DPA) 2018 – the latter being the UK’s version of the EU’s General Data Protection Regulation (GDPR). Which will prevail is currently under review, but there are numerous breaches, including:

Unauthorised access
Failure to put in place robust technical measures to protect data
Not having adequate internal policies, procedures and internal organisation
Possibly failing to report a breach within sufficient time.
It will be a case to watch as to whether the ICO support change or penalise for this breach.

Recently we have seen reports that British Airways suffered a data breach and Marriot Hotels also. In line with their reporting requirements, they were reported to the ICO. The ICO has confirmed they are investigating the Marriot Hotel data breach.

Furthermore, the first number of organisations have been fined for not renewing their fees with the ICO. It is reported that many more fines are to follows. According to the ICO website, “more than 900 notices of intent to fine have been issued by the ICO since September and more than 100 penalty notices are being issued in this first round.”

Businesses should be aware that they will be breaking the law if they do not pay their fees to the ICO. These fees are payable by any business which collects and processes personal data.

Those that are composing decided, it was ultimately good for business for two reasons. Firstly, businesses are concerned they will be faced with penalties by the Regulator if they fall foul of the regulations and secondly, businesses want to maintain customer confidence. Both go hand in hand.

Post-GDPR, several regulators across Europe have reportedly seen an increase in the number of complaints received. The Information Commissioners Office, in particular, has seen a major increase in complaints from ‘data subjects’ (individuals who are the subject of data protection) as well as businesses reporting data breaches they have suffered.

Businesses who collect and retain large amounts of data appear to be suffering the most. We have seen more cases arise out of the large corporations in recent months and these have been well documented in the media as well as on the ICO website.

What have these six months taught us?

We have seen more businesses strive to implement real change in the way they collect data and handle it. Some of the work which we have undertaken for businesses have been reviewing and drafting customer and staff policies; web policies; amending staff handbooks and contracts; auditing their third-party contracts; general assistance with their processes; and internal training. These are some of the things which other businesses can take note of and really think about when considering their own processes.

If anything can be taken from all of this, it is that data protection is fast becoming an area where more ‘breach cases’ will arise. Businesses must continue to actively remain GDPR compliant by reforming and improving their processes and policies if they are to protect themselves from litigation and/or action being taken against them by the ICO.