GDPR – One Year On by DLM Group

Just over a year ago huge changes came about in privacy and information rights with the new General Data Protection Regulation (GDPR) and the Data Protection Act 2018.

This was all about getting privacy right and has increased protection for the public and obligations for organisations.

However, in order to build public trust and confidence, there is still much to do and a key area of work for the ICO will be to support all parts of the UK business community, from the smallest SMEs to bigger organisations, in order to deliver what is needed. This includes Data Protection Officers (DPOs) employed and supported in their respective organisations by senior management.

The focus for the second year of the GDPR will show that organisations need to shift their focus to real accountability with a thorough understanding of the risks to individuals in the way they process data and how those risks should be mitigated. Well-supported and resourced DPOs are central to this.

Strong accountability shows people increasingly how their data is being used and stored and this, in turn, instils trust and confidence. The ICO, like all other organisations have had to adjust too and are committed to supporting DPOs and organisations to make sure all correct procedures are followed.

The ICO endeavour to help small organisations to understand their responsibilities, but those who do not take this responsibility seriously or those who break the law, will see that the ICO will act swiftly and effectively. As a result, there have been more than 40,000 data protection complaints since May 25 2018 and over 14,000 personal data breaches reported.

Many of the investigations launched with the new powers are now nearing completion and outcomes will be available soon.

The past 12 months have been pivotal for data protection and has seen people realise the importance of their personal data. There is a greater awareness of the law, in particular the data rights of individuals, and a greater awareness of the role of the regulator where rights aren’t being respected. Research conducted in July 2018 found one in three (34%) people have high trust and confidence in companies and organisations storing and using their personal information – significantly up from the 21% in 2017.

At the same time, the need to be ready for the GDPR prompted organisations to make significant changes – they determined the legal basis under which they collected personal data, inventoried the data they held, examined how data was used in their supply chains and refreshed their consents.

As a result, in many organisations, the GDPR has placed a significant responsibility on DPOs, bringing with it the on-going challenge of normalising the new regulations. It also shows the importance of an embedded DPO with the right support. The challenges faced every day by DPOs means that having the seniority and engagement from board level is critical to their success. Resourcing these roles should be a key priority for both public and private sector organisations.

Figures supplied by the ICO show that more than 90% of DPOs had an accountability framework in place and 61% reported that their framework is well understood in their organisation. Overall, three quarters of DPOs said that their information rights messages were getting through to their senior leadership team, and they felt supported in their duties.

Beyond the DPO community, it has been recognised that it hasn’t been easy for small organisations to become GDPR compliant. Legal bases for processing, data auditing and privacy policies take time to understand and there are no quick fixes for making sure people’s personal data is being processed legally. For sole traders this has been particularly difficult.

One of the myths of the GDPR is that it prevents data sharing. This isn’t true. Data sharing brings important benefits to organisations, citizens and consumers, making their lives easier and helping with the delivery of efficient services and the GDPR aims to ensure that there is trust and confidence in how organisations use personal data and ensure that organisations share data securely and fairly. To achieve this, it is important that data controllers have clear guidance on data sharing so that individuals can be confident that their data is shared securely and responsibly. A call for views on the data sharing code closed in September 2018 and the ICO is considering these views in order to develop a draft code for formal consultation. This is expected to launch in June 2019 and for the code to be laid before Parliament in the autumn.

The direct marketing code aims to ensure that direct marketing continues to be a useful tool for organisations to engage with customers to grow their business or publicise and gain support for causes. It must also avoid being intrusive and ensure that all activities are compliant with the GDPR, DPA 2018 and the Privacy and Electronic Communications Regulations. A call for views closed in December 2018 and the feedback will inform a draft code with a formal consultation on this in June 2019 and to finalise the code by the end of October. The ICO will review the code once the new European Union e-privacy regulation is completed, and update if necessary.

The ICO enforces whilst providing support and guidance to and will not hesitate to act in the public interest when organisations wilfully or negligently break the law. Enforcing the GDPR is not just about big fines; it’s about using all the tools set out in their Regulatory Action Policy. In this policy they set out their objectives for regulatory action. The ICO will:

– respond swiftly and effectively to breaches, focusing on those involving highly sensitive information, adversely affecting large groups of individuals or those impacting vulnerable individuals.

– be effective, proportionate, dissuasive and consistent in their application of sanctions, targeting their most significant powers on organisations and individuals suspected of repeated or wilful misconduct or serious failures to take proper steps to protect personal data.

– support compliance with the law, including sharing information in relation to and otherwise contributing to the promotion of good practice and providing advice on how to comply with all aspects of legislation.

– be proactive in identifying and mitigating new or emerging risks arising from technological and societal change.

– work with other regulators and interested parties constructively, at home and abroad, recognising the interconnected nature of the technological landscape in which they operate and the nature of data flows in the expanding digital economy.

The policy also sets out how they will use their enhanced powers to pull back the curtain on processing where the public have concerns, for example social media companies, political parties, data brokers and the use of new technologies by law enforcement agencies. The ICO are increasingly using their powers to change behaviours and have tools at their disposal and will use these to ensure individual rights are upheld and organisations comply with the law. The recent action against HMRC for failing to get consumer consent to use their voices in recognition software resulted in the ICO issuing HMRC with an enforcement notice and ordering them to delete the records of five million individuals.

Under the GDPR the ICO is able to issue formal assessment notices to any organisation either public or private. Under the DPA 1998 the Commissioner only had compulsory audit powers in respect of central government and health organisations. These new powers of inspection have enabled us to proactively respond to concerns raised by the public about unsolicited marketing communications and fair and unlawful processing. 15 assessment notices were issued under the new law in conjunction with our investigations into data analytics for political purposes, political parties, data brokers, credit reference agencies and others. The ICO also issued organisations with warnings and reprimands across a range of sectors including health, central government, criminal justice, education, retail and finance plus eleven information notices that have allowed the ICO to progress their investigations. To make sure the enforcement work is targeted in the right areas, they use the information received from the public and other sources to inform their strategic threat assessment and support their investigations and enforcement work. This includes information from personal data breach reports, concerns reported by the public and working with other regulators

CASE STUDY

In May 2017 the ICO launched a formal investigation into the use of data analytics for political purposes after allegations were made about the ‘invisible processing’ of people’s personal data and the micro-targeting of political adverts during the 2016 EU referendum. The inquiry eventually broadened and has become the largest investigation of its type by any data protection authority, involving social media online platforms, data brokers, analytics firms, academic institutions, political parties and campaign groups.

The investigation was conducted under both the previous and new legislation and in order to seize evidence as part of the investigation the ICO requested a warrant which meant it took 17 days from the outset to gain access to Cambridge Analytica’s premises. ‘No-notice’ assessment notices means that access to companies’ data protection practices comes faster than under the previous legislation. The first enforcement notice was issued under DPA2018 to Aggregate IQ, a Canadian data broker and one of the organisations that formed part of the investigation. It ordered the company to delete certain personal data it held about UK citizens. Under the previous legislation Facebook was issued with a £500,000 fine because of the timing of the breaches. The fine could have been higher under the new legislation. Before 25 May 2018, most companies had to agree to an audit. Now the ICO have the power to issue assessment notices and did so soon after the introduction of new laws in order to understand how the three credit reference agencies and three main data brokers collect and use people’s personal data for direct marketing.

The ICO received around 14,000 PDB reports in the last 12 months, whereas around 3,300 PDB reports in the previous year. 12,000 of these cases were closed during the year. Of these, only around 17.5% required action from the organisation and less than 0.5% led to either an improvement plan or civil monetary penalty. While this means that over 82% of cases required no action from the organisation, it demonstrates that businesses are taking the requirements of the GDPR seriously and it is encouraging that these are being proactively and systematically reported to us. These figures also show that it remains a challenge for organisations and DPOs to assess and report breaches within the statutory timescales. The ICO recognises this and provides support and guidance to help organisations to meet the requirements to report. The personal data breaches reported to the ICO have resulted in a range of outcomes – an example of a breach reported where no further action was required was where a nursery produced Father’s Day cards for the children to take home. In the card was a photo of the child. There were two children with the same name at the nursery, which accidentally put child A’s photo in child B’s card and vice versa. No further action was required and it was decided that this breach was not reportable – it is unlikely individuals’ rights and freedoms would be impacted by the wrong photo being sent out. The ICO provided advice to the nursery about reporting thresholds.

Personal data breach reports

An example of a breach where the ICO took formal action: As a result of administrative errors, an organisation disclosed personal data to incorrect recipients. The investigation determined that whilst this was not a systemic failing, it nevertheless demonstrated that established policies and procedures were not always being followed. The organisation was therefore issued with a reprimand to take certain steps to improve compliance with the GDPR, including ensuring that all staff attended mandatory training; that policies and procedures be enforced and reiterated to staff on a regular basis; and that contact details are checked on all correspondence.

Greater awareness of individual rights has meant that there has been a significant impact on the numbers of concerns raised by the public. From 25 May 2018 to 1 May 2019, we received over 41,000 data protection concerns from the public. The figure for 2017/18 was around 21,000. Subject access requests remain the most frequent complaint category, representing around 38% of data protection complaints we received. This is similar to the proportion before the GDPR (39%). In fact, the general trend is that all categories of complaint have risen in proportion with the overall increased number of complaints since the implementation of the GDPR.

Also see that some sectors are responsible for higher numbers of breach reports and data protection concerns. The health sector, for example, accounts for over 16% of PDBs and 7% of data protection complaints. Local government accounted for 8% of PDBs and 9% of data protection complaints. Lenders accounted for 6% of data protection complaints. This intelligence helps the ICO to target their guidance, support and action in the areas where there is the greatest regulatory risk.

In the modern world, data truly has no borders.

The GDPR has an international impact, applying to every company that does business in Europe. The international strategy commits the ICO to maintaining the strong links we have in Europe and beyond. It also sets out a clear vision of where the ICO needs to develop their capacity to share investigatory information and to share best practice from international exemplars.

EU Data Protection Board figures indicated that from 25 May 2018 to 1 May 2019, there were around 240,000 cases across the EU (data protection complaints, data breaches, proactive investigations or other similar issues). The ICO received over 55,000 of these (roughly 23%). Where the data protection cases reported have cross-border implications throughout the EU, these are reported to a lead EU data protection authority. The UK is currently the lead supervisory authority on 93 of these cases. In addition, the UK is working on behalf of UK citizens to uphold their information rights in 58 other cases where other EU data protection authorities are the lead supervisory authority, and the UK is a concerned supervisory authority. We continue to grow and strengthen our links with the EU supervisory authorities to support on-going data protection work, protecting the information rights of UK citizens. On a wider global stage, in October 2018 the Information Commissioner was elected as chair of the International Conference of Data Protection and Privacy Commissioners (ICDPPC), which brings together around 120 data protection offices across the world. This role gives the UK an ability to not just share policy and enforcement experience, but to take on a leadership role within the global privacy and information rights community.

On a national level we have continued to develop and build relationships with other regulators including joining the UK Regulator’s Network (UKRN). These relationships not only support our enforcement and operational work, but also enable us to ensure that data protection and information rights are a key topic across sectors.

To meet the challenges of the GDPR the ICO has had to expand and it was vital to recruit and retain staff with the right skills and experience. In November, the ICO issued their first penalty notices for non-payment of the data protection fee. Up to 30 April 2019, over 3,800 notices of intent to fine for failure to pay the fee were issued, and of these nearly 2,300 payments totalling around £627,000 were received. For the same period, over 300 Final Penalty Notices were issued for non-payment of fees, resulting in nearly £100,000 in fees and penalties. In 2019/20, they will continue to investigate where companies have not paid the fee, particularly large companies.

The future

There is much left to do and the ICO will continue to strive to deliver regulatory outcomes that support their mission of upholding information rights for the UK public in the digital age and the trust and confidence in how data is used. They will continue to focus on the areas identified as their regulatory priorities including:

  • AI, big data and machine learning
  • Children’s privacy
  • Cyber security
  • Use of surveillance and facial recognition technology
  • Web and cross-device tracking for marketing purposes.

Our view

It’s been a year of testing the waters but by the end some serious cases have come to light with some businesses being prosecuted and ending up with considerable fines.

The message from the ICO is clear – you’ve had some leeway but people, despite a stumbling start, are now more aware and are ready and able to act. What this means for businesses and institutions is that they cannot just do the minimum, they must exercise a duty of care to their staff to make sure they, in turn aren’t going to be exposed to possible prosecution.

Reputations are at risk here and if staff or customers fall victim to a breach, trust is compromised and customers won’t return. It’s funny how so many businesses will happily buy all the latest gadgets, spend a small fortune on marketing budgets and all the necessary insurances and yet employing a DPO is still something that sits low on the list of priorities. A DPO will not only protect your reputation but will also protect you from sizeable fines.

It is important that businesses keep ahead of the competition and one way of ensuring this is by displaying responsibility via the services of a DPO making sure that all aspects of the data supply chain is safeguarded.

86% of crime in the UK is cyber related and just because some companies appear huge doesn’t mean they are not vulnerable. Hacking and data breaches appear at all levels so never assume that if you’re big you’re untouchable. In a similar vein it is undoubtable that the ICO, with its expanding work force, will be looking at all sizes of business.

The six principles for the processing of personal data

The GDPR outlines six data protection principles you must comply with when processing personal data. These principles relate to:

  1. Lawfulness, fairness and transparency – you must process personal data lawfully, fairly and in a transparent manner in relation to the data subject.
  2. Purpose limitation – you must only collect personal data for a specific, explicit and legitimate purpose. You must clearly state what this purpose is, and only collect data for as long as necessary to complete that purpose.
  3. Data minimisation – you must ensure that personal data you process is adequate, relevant and limited to what is necessary in relation to your processing purpose.
  4. Accuracy – you must take every reasonable step to update or remove data that is inaccurate or incomplete. Individuals have the right to request that you erase or rectify erroneous data that relates to them, and you must do so within a month.
  5. Storage limitation – You must delete personal data when you no longer need it. The timescales in most cases aren’t set. They will depend on your business’ circumstances and the reasons why you collect this data.
  6. Integrity and confidentiality – You must keep personal data safe and protected against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

Accountability – Accountability is a new principle under the General Data Protection Regulation. It focuses on two key elements: your responsibility to comply with the GDPR and your ability to demonstrate compliance