At our recent breakfast seminar, we sat down with representatives from a number of regional and national businesses to consider what impact the GDPR has had on our lives (both professional and personal!) since its introduction 12 months ago on 25th May 2018.
We thought it would be good to provide you all with a summary of what was discussed at our seminar, together with additional thoughts and comments from the ICO, who last week published its own blog post focussing on its experiences and lessons learned.
Data subject rights
Given the number of emails that everyone received in the weeks approaching 25th May 2018 asking them to renew their consent to various marketing subscriptions and informing them of updates to privacy policies, it is perhaps unsurprising that one trend which has become apparent in the last 12 months is an increase in individuals exercising their data rights.
This is backed up by the ICO’s statistics, which state that 64% of DPOs surveyed in March 2019 either agreed or strongly agreed that they had “seen an increase in customers and service users exercising their information rights since 25th May 2018”.
The right that individuals are most likely to exercise is the right of access, by making a subject access request. The right of access allows an individual to require a business to give them a copy of all the personal data it holds on them as well as other supplementary information.
Subject access requests can place businesses under a significant amount of strain, due to the time and expense that is often required to sift through all those pages of correspondence and various documents in order to comply with them.
In order to fully respond to a subject access request a business needs to provide individuals with all the personal data it holds on them; however, there are exemptions which allows some information to be withheld. It can be a difficult task identifying exactly when these exemptions can be relied on and, of course, if a business withholds information incorrectly then it risks being in breach of the GDPR, a potential ICO investigation and other sanctions. We recently assisted a client who had incorrectly been advised they could decline responding to an individual’s subject access request due to the fact they were currently in the middle of tribunal proceedings with that individual. This left them with only three days to respond to the subject access request within the one month period required.
John Parker, Corporate Development Director of Wasps Rugby Club, discussed some of the data protection issues that Wasps had had to deal with in the months preceding and following the coming into force of the GDPR.
Due to the high volume of footfall that comes through their stadium, Wasps has always collected a lot of personal data on a large number of individuals, and this was a major reason for them carrying out an internal GDPR audit. However, this was somewhat mitigated by Wasps’ relatively recent relocation to Coventry from Wycombe, which, at the time, had prompted a cleanse of a lot of the historic data they held. This meant that all the personal data Wasps held and had to consider as part of their audit was relatively new.
John also emphasised the need for businesses to ensure that everyone within their organisation was aware of the GDPR and how it impacted on their role within the business.
Whilst it is important to have clear policies and procedures in place which set out how a business is compliant with the GDPR, these are of little value if the individuals within that business are unable to implement them on a day-to-day basis.
Training should be rolled out to all staff on a regular basis (and to new starters as part of their on-boarding) to ensure that they are up to speed with the requirements of the GDPR and what steps they can take in their role to help the business remain GDPR-compliant and avoid any enforcement action from the ICO.
With this in mind, the ICO has worked hard over the last 12 months to ensure that there is a suite of documents and guidance on its website available to all, so that, if required, individuals can find out more information about all of the various requirements of the GDPR.
The ICO runs a dedicated enquiries hotline, live chat and written advice service, which received over 470,000 contacts in 2017/2018, a 66% increase from 2017/2018. It is also in the process of setting up a “one-stop shop for SMEs”, drawing together its expertise to help the ICO better support those organisations without in-house compliance resources.
In our experience, some clients also like to receive training on specific data protection issues that are particularly relevant to their business, such as how to carry out marketing in a GDPR-compliant way or when to perform a data protection impact assessment.
Richard Merrygold of iSTORM Solutions talked about how cyber security is a key issue to address in order to stay compliant with the GDPR. Today, it is much more likely that a business is going to suffer a personal data breach by someone hacking into its computer systems rather than through the theft of physical files from its office.
There are a wide variety of cyber security solutions out there and it is important to get the right one for your business. Engaging a cyber security consultant can help identify the areas of risk in a business’s network, understand the level of risk involved and implement proportionate technological measures to help prevent unauthorised access to its personal data.
Underpinning a lot of the publicity around the GDPR before it came into force was the size of the potential fines. Whilst the GDPR did introduce the possibility of the ICO fining a business up to 4% of their global turnover or €20m, the reality is that the largest fine imposed in the UK (£500,000) is yet to reach seven figures, let alone eight.
That being said, a number of the data protection cases that have concluded since the GDPR came into force relate to breaches that occurred under the previous data protection regime. It is widely anticipated therefore that we may yet see an increase in the average size of the fines imposed on businesses over the next couple of years. The suspicion does remain that the ICO will want to make an example of a large organisation in order to give teeth to the GDPR but there are no indications of who this might be at present.
According to Senior Associate at Wright Hassall, Claire Halle-Smith “provided that organisations are transparent and notify the ICO of any (notifiable) breach promptly, can illustrate they have made significant attempts to comply with the GDPR and show a willingness to cooperate with the ICO, the ICO is less likely to issue a fine. Conversely, a blatant disregard for the legislation or the enquiries of the ICO is more likely to lead to a fine and, in some circumstances, prosecution.
Communicating openly is therefore vital, and genuine efforts to rectify the issue will more likely result in the milder sanctions such as the issue of an enforcement notice, the requirement of an undertaking and/or recommendations around the implementation of practical changes. Claiming ignorance of a breach or activity leading to a breach is not an excuse; directors and officers need to include data protection on board agendas and ensure their organisation takes data seriously.”
The ICO is keen to stress that it will be “effective, proportionate, dissuasive and consistent” in its application of sanctions. This is borne out in the way breaches have been handled to date under the GDPR. In short, the ICO wants to work alongside businesses to help them comply with the law rather than penalise them the moment they fail to do so.
A year ago, there were also concerns about whether the ICO would have sufficient resources to be able to enforce the GDPR. Twelve months on, the ICO’s workforce has grown “from 505 to more than 700” and has introduced a new fee paying regime to replace the registration requirement previously imposed on data controllers. The result is that the ICO is in a much better position to actively deal with the data breaches which are reported to it and invest in new technologies and tools to produce guidance to help businesses comply with the law and to help individuals understand their data rights.
Ian McKinney of Gallagher Insurance explained the different insurance policies available to businesses wanting to protect themselves in the event of committing data protection breaches.
As mentioned earlier, preparing a full response to a data subject making a subject access request can be a significantly costly exercise, whilst implementing changes to address a personal data breach can also involve a considerable amount of investment and expenditure. This does not even take into account the potential reputational damage a business could suffer, the management time spent coordinating any response to a data subject or rectifying any personal data breach or the cost of engaging external advisers.
One thing to look out for is the extent to which policies will protect businesses in respect of the costs they incur in responding to individuals exercising their data rights and reporting and dealing with data breaches. Currently, the extent of cover is typically between £250,000 and £500,000 so getting as much value for money as possible is paramount.
Some insurance providers offer cyber insurance as an “add on” to standard business insurance policies. However, Ian advised businesses against purchasing these types of policies as they are likely to be too limited in scope. A careful analysis of the different products on the market is therefore required.
Ian also remarked on the fact that there were still a number of businesses who adopted a relaxed approach to taking out data protection and cyber insurance. Despite the relatively low risk of a fire breaking out in the office, businesses would never think not to take out property insurance for damage caused by fire. However, the same cannot be said for cyber-attacks and personal data breaches, with some organisations still seeing data protection and cyber insurance as a “nice to have” rather than an “essential”.
Given that the data a business holds on its customers is often one of its most valuable assets and the way businesses store data means that it is more than likely that that data is stored on a computer system, it would seem that having data protection and cyber insurance in place will become essential for more and more businesses in the years to come.
Data protection and cyber insurance is still in its infancy, with plenty of variety between different providers’ policies. Over time, the market will become more uniform and consistent, hopefully reducing the amount of time businesses currently have to spend comparing the extent of cover on different policies.
Having analysed what has occurred over the previous twelve months, our key take away message for the next twelve months is accountability.
The principle of accountability is a key feature of the GDPR – the ICO does not want businesses to simply ensure they are GDPR-compliant and then never think about data protection again. On the contrary, accountability is an evolving process and businesses need to be able to demonstrate that they are GDPR-compliant whenever they are required to do so.
This means ensuring that everyone within an organisation is familiar with the policies and procedures in place to help ensure GDPR-compliance and how they can help the business remain compliant in their day-to-day role.
In respect of future decisions relating to the business, data protection should always be a key consideration, whether that be in respect of how they impact customer, supplier, employee or other types of personal data. This helps meet the GDPR’s “privacy by design” principle and helps ensure businesses are accountable to the individuals on whom they process personal data.
On a day-to-day level, accountability also means keeping all necessary records required under the GDPR such as data processing activities and what personal data is held within the business. Risk registers and breach logs should be maintained and revisited on a regular basis. Whenever a decision is made in relation to a business’s data processing activities it should be documented together with the reasons why that decision was made.
Finally, in relation to personal data breaches, businesses should be open and accountable to the ICO. The ICO appreciates that the GDPR introduced a wave of new obligations and mistakes are inevitably going to happen. The best thing a business can do to minimise the sanctions imposed on it as a result of a data breach is to report the breach quickly and work with the ICO to take steps to reduce the risk of that breach reoccurring. Being open and accountable can therefore have a financial benefit to businesses as well.
The next 12 months will see everyone continue to come to grips with the requirements of the GDPR, demonstrate ongoing compliance through good record keeping and continued training to staff, prompt handling of subject access requests and data (breach) incidents and will also likely see a couple of larger fines starting to be issued by the ICO.