GDPR one year on…

• United Kingdom

• Privacy, data protection and cybersecurity - GDPR

10-06-2019

The passage of a year since GDPR came into force has been a marker for the ICO and others to pause, reflect, and (importantly) for the ICO to give some indications as to what lies ahead.

The ICO has published a blog post. It is a useful snapshot of lessons learnt over the past 12 months and a suggestion of where things are headed.

The IAPP (International Association of Privacy Professionals) has also published an insightful infographic ‘GDPR at OneYear: What We Heard from Leading European Regulators.’ This is a quick and useful snapshot revealing that (for instance) across the EU there were 144,000 individual complaints to those authorities, 89,000 data breach notifications, 440+ cross-border cases, and GDPR enforcement actions have resulted in EUR 56 million+ fines. The ICO fed in on several key themes/issues, including complaints from data subjects and investigations for infringements. Many of these are borne out in the ICO’s own ‘One year on’ blog.

In this short briefing we focus in on some key themes relating to enforcement, complaints and personal data breaches as well as the possible direction of travel.

Enforcement trends

• The ICO has not, as yet, imposed any GDPR fines. However, it would be unwise to be complacent.

• Unsurprisingly the vast majority of ICO privacy related enforcement actions since 25 May 2019 have been for incidents preceding the GDPR’s entry into force. These cases were handled under the regime of the Data Protection Act 1998 and fines were to a maximum of 500,000 GBP. The ‘backlog’ is expected to end soon. Investigations related to GDPR compliance are underway, according to the Commissioner: ‘Many of the investigations launched with our new powers are now nearing completion and we expect outcomes soon, demonstrating the actions my office is willing and able to take to protect the public’.

• Certainly in other countries there have been GDPR fines. In January 2019 the French data privacy regulator (CNIL) fined Google 50 million Euros for (amongst others) lack of transparency and failures around valid consents.

• The ICO may or may not decide to impose GDPR fines in the coming months. However, let’s not forget that fines are not the only part of their toolkit. Non-monetary sanctions are often the most feared in practice. They can be highly disruptive and (still) financially costly. The ICO can order the infringer to ‘put things right’ by issuing a ‘stop’ notice or other forms of enforcement notices which require changed practices.

• Keep in mind too that personal data breaches (eg security incidents) are not the only risk point. The ICO has cited unfair processing and lack of transparency as an overriding theme in its investigations and enforcement actions during the past 12 months. Re-writing and reissuing privacy notices can be a time consuming and costly exercise. Likewise, having to re-train staff or to erase infringing data sets can be tricky. Add to this the risk of damaged reputational risk when ICO enforcement decisions are made public.

Personal data breaches

• There have been over 14,000 personal data breaches reported to the ICO since 25 May 2018. This is up from 3,300 reports in the prior year. 17.5% required ICO action. Less than 0.5% led to an improvement plan or a civil monetary penalty.

• Over-reporting is a problem. Many are erroneously thinking ‘if in doubt – report.’ The ICO’s position on this has not changed since September 2018 when, in its blog, the Deputy Information Commissioner highlighted the issue: ‘Some controllers are “over-reporting”: reporting a breach just to be transparent, because they want to manage their perceived risk or because they think that everything needs to be reported. We understand this will be an issue in the early months of a new system but we will be working with organisations to try and discourage this in future once we are all more familiar with the new threshold.’

• As a reminder, personal data breaches which do not pose ‘a risk’ to rights and freedoms of individuals need not be reported to the ICO. Those which do not pose a ‘high risk’ need not be notified to data subjects. There will always be a judgment call to be made – quickly – about whether the facts of each breach does meet the threshold. Careful analysis is needed to properly determine whether to report.

• It remains a challenge for organisations and Data Protection Officers to assess and report breaches within the statutory timescales.

• In terms of whether to enforce following a personal data breach report, the ICO has indicated that it tends to consider the nature and seriousness, gravity and duration, of the breach; the number of data subjects affected and level of damage suffered; the nature of data subjects (eg vulnerable adults/children); whether the breach was negligent or intentional; what (if any) action was taken by the controller or processor to mitigate the damage; the track record of the controller or processor (previous infringements); how well it cooperated with the ICO to remedy the infringement and mitigate its effects; the way the breach became known to the ICO (e.g. self-reporting or data subject complaint); and whether there are any other aggravating or mitigating factors such as financial benefit gained by the controller or processor. Remember: these are not the factors relevant to whether or not to report, instead they relate to the ICO’s own assessment following that report. It is not for the controller to judge these items when deciding whether or not to report.

• A key theme is emerging of breaches happening at processor level. Steps can be taken by the controller to reduce exposure to this risk. Perform due diligence. Have in place the Article 28 GDPR processor terms and include clear security standards. Use the contractual right to obtain information and to conduct audits (i.e. ‘police’ the contract). Crucially, remember that processors inside a corporate group tend to be treated no differently from those appointed at arms’ length. Intra-group arrangements tend to be scrutinised to the same degree. For instance, if there is a personal data breach at the processor entity.

• Remember: all breaches must be logged internally by the controller, whether or not they are reportable. Keep a personal data breach protocol and use it. Allocate responsibility for this to an appropriate person.

Complaints

• There have been more than 41,000 data protection complaints to the ICO since 25 May 2018. This is up from around 21,000 the previous year. It seems that awareness amongst individuals is rising and that there is more of a desire on their part to take action.

• The top three issues complained about are subject access requests (38% of complaints received); disclosures of personal data; and the right to object to processing. Commonly a DSAR complaint will be about a controller not having met the statutory timeframe and/or where the data subject is concerned that personal data has been held back without legitimate reason.

Regulatory Action Policy

• The ICO has published a Regulatory Action Policy. It is useful to be reminded of the ICO’s give objectives. First, to respond swiftly and effectively to (amongst others) personal data breaches, focussing on those involving highly sensitive information, those adversely affecting large groups of individuals, and/or those impacting vulnerable individuals. Secondly, to be effective, proportionate and dissuasive in its application of sanctions with most significant powers used for repeated or wilful misconduct or serious failures and where formal enforcement action serves as a deterrent. Thirdly, to promote compliance via good practice and targeted advice. Fourth, to proactively identify and mitigate new or emerging risks. Fifth, to work with other regulators constructively (e.g. FOS and FCA – hence the MOUs in place with these organisations in respect of information sharing).

What’s next from the ICO and EDPB (European Data Protection Board)

The IAPP has indicated that the EDPB (European Data Protection Board) is expected to issue guidance in 2019/2020 on (amongst others) video surveillance, data protection by design/default, targeting social media users, children’s data, concepts of controller and processor, legitimate interest, and the rights of access, erasure, objection and restriction.

According to the ICO, the focus for the coming year is to go beyond baseline compliance. Organisations need to shift their focus to accountability. This means being able to demonstrate compliance. Organisations should have a real evidenced understanding of the risks to individuals in the way they process data and how those risks should be mitigated. Data protection impact assessments and legitimate impact assessments are part of this; as are well-supported and resourced Data Protection Officers (where the law requires it).

The ICO is to produce new statutory codes including one for data sharing (consultation expected in June with the final form this autumn) and one for direct marketing (also expected for consultation in June with the final form in October). These will be critically important for very many controllers based here in the UK / caught be extra-territorial reach.

Finally, regulatory priorities for the ICO will include (amongst others): cyber security; AI and ‘big data’; web and cross-device tracking for marketing purposes; children’s privacy; surveillance and facial recognition technology; and data broking (buying and selling data).