GDPR – one year on!
2018 saw a panic and flurry of action by companies in the lead up to the implementation of the General Data Protection Regulation (GDPR) to ensure compliance as soon as possible after 25 May 2018. However, one year on and data protection has largely been forgotten or at least relegated to the bottom of the to-do list. So what impact has the implementation of the GDPR had on companies?
The hype around the GDPR has definitely led to an increase of awareness among individuals as to their data protection rights. The EEA Supervisory Authority has logged 144,000 queries and complaints and over 89,000 data breaches and most authorities have reported complaint and query increases since 2017. The ICO also issued 103 monetary penalties for non-payment of the data protection fee in 2018, including 16 penalties of £4,000.
In Q2 of 2018/19 the ICO reported a total of 4,056 data security incidents (personal data breaches under the DPA or PECR) and took the following actions:
- 18 July 2018 – The Independent Inquiry into Child Sexual Abuse (IICSA) were fined £200,000 for revealing identities of abuse victims in a mass email
- 9 August 2018 – Lifecycle Marketing (Mother and Baby) Ltd, also known as Emma’s Diary, were fined £140,000 for illegally collecting and selling personal information belonging to more than one million people
- 20 September 2018 – Equifax Ltd were fined £500,000 for failing to protect the personal information of up to 15 million UK citizens during a cyber-attack in 2017
- 28 September 2018 – BUPA Insurance Services were fined £175,000 for failing to have effective security measures in place to protect customers’ personal information.
The seriousness of these actions show that it is now more important than ever for companies to make sure they’re complying with the requirements of the GDPR/DPA 2018 as the further we get from the implementation date, the less justification there will be for non-compliance.
Key obligations companies need to be aware of
Data protection fee
Organisations that determine the purpose for which personal data is processed (i.e. controllers) must pay a data protection fee unless they are exempt. There are 3 different tiers of fees ranging from £40 to £2,900 payable depending on the size of the organisation.
Organisations must be able to demonstrate compliance with the GDPR by, for example, adopting data protection policies and other appropriate policies and procedures, maintaining documentation of its processing activities, recording and reporting personal data breaches and implementing appropriate security measures. These obligations are ongoing and must be reviewed and updated as necessary.
Transparency and right to be informed
Organisations must be clear with individuals about how they are collecting and processing their data.
The GDPR sets out a much higher standard for consent, including the following:
- It must be unambiguous and involve a clear affirmative action (pre-ticked opt in boxes are prohibited)
- Organisations must keep records to evidence consent
- Individuals must be able to withdraw consent at any time
- It must be as easy to withdraw consent as it was to give it.
Personal data breaches
Certain breaches must be reported to the ICO within 72 hours and organisations must keep a record of all data breaches.
Third party processors
Where third party processors are used, there must be a written contract in place containing certain mandatory clauses and obligations.
Transfers of personal data outside the EEA are only permitted where the rights of the relevant individuals are protected, for example by entering into standard contractual clauses with the transferee. Note that if the UK leaves the EU, it may be considered a third country (i.e. a country outside the EEA) and organisations transferring personal data particularly to the UK from within the EEA will need to consider putting appropriate safeguards in place.