Yes, it’s been a whole year since the GDPR was brought into force in the UK – the biggest change to data privacy legislation for 20 years. But excitement for the new legislation peaked at implementation (at one point in May 2018 ‘GDPR’ appeared to be trending higher in Google Search volume than Beyoncé) and now, over a year later, we have reached a state of GDPR-fatigue.
If your business has started to think of GDPR as a bygone craze rather than a continuing obligation, it might be time to reassess. France’s supervisory authority, the CNIL, has warned recently that this last year has only been a warm-up. If that doesn’t scare you, keep reading for our round up of the lessons we have learned and our recommendations and tips for ongoing compliance.
“A stitch in time, saves nine”
Last month, high end paint manufacturer Farrow & Ball lost their appeal against an ICO monetary penalty for failing to pay the statutory data protection fee. Farrow & Ball should have paid an annual fee of £2,900 to maintain their registration with the ICO as a data controller but failed to do so by the relevant deadline. As a result, the ICO issued Farrow & Ball a monetary penalty of £4,000.
Farrow & Ball appealed on the basis that the company’s data protection officer was away on holiday when the letter about the fee came in and the ICO did not issue any further reminders. The ICO dismissed their appeal stating that:
“...a reasonable data controller would have systems in place to comply with the Regulations...the Appellant has pointed to no particular difficulty or misfortune which explains its departure from the expected standards of a reasonable data controller”.
This serves as a healthy reminder to ensure that you are on top of your paperwork as the ICO will have no sympathy for non-compliance as a result of human error. Consider yourself warned!
“Honesty is the best policy”
In April 2019 a pregnancy club, Bounty UK, was fined £400,000 by the ICO for sharing personal data of more than 14 million people without their knowledge or permission.
Bounty collected the data via its website, mobile app, promotional merchandise and directly from data subjects, but failed to tell them that the information would be sold to third parties for direct marketing purposes. As the activities in question took place prior to 25 May 2018 they fell under the remit of the older (and less punitive) Data Protection Act 1998.
If you’re relying on consent to carry out processing, ensure you are concise, clear and consistent about your purposes and what you will do with the data. Don’t overstep the boundaries of the consent given!
“As safe as houses”
Just how safe is your data? Over the last 12 months Uber, British Airways and Equifax have all been the victim of attacks by hackers leading to the unlawful access of millions of customers’ personal data.
In November 2018 Uber was fined £385,000 by the ICO over the hack in which 2.7 million customers were affected. The ICO considered that Uber had failed to adequately protect the data in their possession, not only that, they had failed to take prompt action to notify the affected customers.
Equifax suffered a similar breach and was issued a £500,000 fine by the ICO in September 2018. The ICO said that avoidable errors in Equifax’s security systems led to data being unlawfully accessed but that they also found evidence that Equifax was keeping data for longer than necessary.
Uber and Equifax’s breaches both took place prior to 25 May 2018 meaning fines could not exceed £500,000, the maximum permitted under the Data Protection Act 1998. The investigation into British Airways is still ongoing and is likely to be much higher as the incident will be investigated under the GDPR where fines can reach up to €20,000,000 or 4% of global turnover, whichever is highest.
Whether you think you’re a target for hackers or not, make sure you’re regularly testing and upgrading your security. Remember, sometimes your biggest risks are your own employees so ensure that you emphasise the importance of data security around the workplace!
GDPR is here to stay so no matter the size of your business, don’t allow data protection to become a low priority. Make sure you follow our top tips to avoid falling foul of the rules…
- Nominate a data protection officer (‘DPO’) or, if your organisation is not required to have one under the GDPR, appoint a ‘privacy manager’ to be responsible for complying with statutory requirements such as paying fees and responding to data subject access requests.
- Carry out regular security testing of your system and ensure that all staff receive regular training about their role in ensuring compliance.