It is officially three years since the General Data Protection Regulation 2016 (GDPR) came into force in 2018 – so what have we learnt?
In this article our IP, IT and Data Protection team look back on GDPR trends from the last three years.
GDPR breach reporting has become the norm
For the first time in the UK, GDPR brought in mandatory breach reporting for certain data breaches. If an organisation suffers a data breach and it poses a high risk to individuals, they are required to report it to the UK data protection authority, the Information Commissioner (ICO), within 72 hours of becoming aware of the breach.
As whether a breach poses a “high risk to individuals” is largely a subjective test, this led to the ICO being flooded with breach reports in the early days and they pleaded with businesses to not report every breach however minor.
At Stephens Scown we have helped many organisations both big and small consider whether or not they need to report a breach to the ICO and have made many reports on behalf of clients over the last three years. Whilst not every breach needs to be reported it is vitally important that due consideration is given to whether or not to report a breach and that any decision to report / not report is recorded in your breach register to meet your accountability obligations.
Breach reporting has certainly become a part of normal life for data protection officers. The 72-hour limit has forced organisations to act quickly whereas previously they may have sat on their laurels.
We have seen many businesses become unstuck by not having the right processes in place to respond to a breach quickly (or not making their employees aware of the process to follow) and many organisations have failed to appreciate it is 72 hours not 72 working hours and these things always seem to happen on a Friday afternoon!
We have also seen, and continue to see, large high-profile breaches and fines across various different sectors – from travel (British Airways and Marriott International) to retail (Morrisons). Few sectors have remained untouched.
Subject Access Requests (SARs) on the increase
We have also seen a huge increase in the number of subject access requests (also knows as a SAR) received.
Previously, organisations could charge individuals £10 for making a subject access request but this was scrapped by GDPR (although a data controller can still charge for an SAR if the data subject asks for additional copies). Whilst £10 is not a lot of money it did act as an inconvenience for those submitting a SAR on a whim – for a start they had to find their cheque book!
In the past, it was common for individuals to submit a SAR in anger but when asked for the fee they never responded with payment and the organisation on the receiving end of the SAR was off the hook. With that barrier now gone, coupled with an increased awareness by the public of their data protection rights this has led to an increase in subject access requests from both customers and employees.
Increased awareness of GDPR and data protection
When GDPR came in, everyone had heard of it and was talking about it – with most people not realising that in fact they already had some of the rights and protections granted by GDPR as they already existed under the old Data Protection Act 1998.
The hype around GDPR’s introduction has definitely led to an increased awareness of data protection amongst the general public and it is now common to see individuals quote the legislation when making a complaint or a request to an organisation – data protection is no longer a topic exclusively for privacy lawyers and IT professionals – GDPR brought it to the masses.
At Stephens Scown, we have found that many businesses still do not understand how to respond to a subject access request and many do not understand that an access request can be made verbally and/or via social media. Due to this lack of knowledge, they find themselves on the back-foot running out of time to respond. More information on SARs and the risks of getting it wrong is available here.
A hot topic on business sales
It has become increasingly common to see data protection compliance as a hot topic on business sales (whether by an asset sale or a share sale). No prudent buyer wants to take on a huge potential liability for previous breaches of data protection legislation by a business.
As a result of the significant increase in fines available to regulators to impose brought in by GDPR, we are increasingly seeing that when businesses are being sold that do not have the correct compliant data protection policies and procedures in place or have not registered with the ICO potential buyers are very concerned. We are commonly seeing requests for robust warranties and indemnities from buyers to protect them against any previous areas of non-compliance as a result. This applies across the board as most businesses, however small and whatever the sector, will hold personal data of some sort, whether it be personal details of employees or email addresses of customers or suppliers.
Many organisations wrongly believe that if they process email addresses of their named business contacts then they are not processing personal data but this is not the case. One of the key take aways from the Marriot decision was that Marriot was fined for a breach of security that happened to a business they had previously purchased, which didn’t have adequate security measures in place.
Carrying out appropriate technological due diligence is therefore key when purchasing any business to help avoid the risk of inheriting what could be huge liabilities for data protection breaches.
Focus on GDPR training
Human error is the most common reason for a breach report to need to be submitted to the ICO. Training staff is therefore key. It is also now becoming increasingly common for customers to ask for contractual commitments in supply contracts that the supplier has ensured that their staff have received adequate training on data protection. The ICO breach report form asks whether the individual involved in a breach has received training in the last two years.
If no training has been provided and a breach occurs as a result of a human error which could have been avoided with appropriate training, the ICO will not be impressed with an organisation’s behaviour.
Further changes in data protection law
If anything is certain with data protection law, it is the fact that it does not stay still for long. Whilst we have still seen very little case law from the UK courts since GDPR’s implementation, we have seen various decisions from data protection regulators across Europe interpreting the legislation.
The ICO has also been gradually updating its own guidance in line with GDPR (and still continues to do so), so it is important that organisations continue to look out for further developments and remember data protection compliance does not start and stop with the implementation of GDPR.
Of particular note, in summer 2019 the ICO issued new guidance on obtaining consent for non-essential cookies, which many organisations are still not following. We have also seen the ICO focus in on particular areas for investigation such as AI, adtech and political campaigning.
In the last three years we have also seen the death of the Privacy Shield. This has added further complexity for those organisations making transfers of personal data to the US (which most are by using third party software and platforms based in the US). You can read more about that here.
Brexit & UK GDPR
Then came the “B” word with Brexit – as a result we now refer to “UK-GDPR” and the Data Protection Act 2018 when looking at data protection compliance. We are now left seeking an adequacy decision from the European Commission so that we can continue to receive personal data from members of the EEA without friction.
Brexit has also brought other changes for data protection that businesses need to be mindful of, including consideration of whether or not they need to appoint an EEA representative (see Appointing an EU Representative for Data Protection – a reminder for UK businesses for further details).
Further changes are on the horizon with the Children’s code which comes into force properly in September 2021 following a 12-month transition period – this is one to be mindful of for those offering online services or mobile apps and games that may be accessed by under 18s.
It is important that businesses continue to be alive to the various changes to data protection laws and guidance to ensure they remain on the right side of the law.
GDPR is a journey not a destination
When GDPR first came into view, the ICO were at pains to make it clear GDPR compliance was a continuous journey and not a destination, and that is as true today as it was in 2018. Businesses cannot afford to procrastinate or be still when it comes to their compliance.
Many organisations did a lot of work in the run up to the GDPR ‘go live’ date; many got consultants in, had a project plan, wrote lots of generic policies that were never implemented and have remained in a drawer gathering dust since 2018. Those organisations will not be compliant.
Keeping GDPR documents updated
It is important that data protection policies and processes are day-to-day living documents that someone in the organisation has oversight and control of and not simply documents that are kept in a drawer.
Processor and controller records should be kept up to date and a breach record kept. ‘Privacy by design and default’ should be embedded into your business operations and mindset, with privacy impact assessments being carried out as part of the course. We are now seeing many businesses recognising that their efforts in 2018 were not enough and simply paid lip service to GDPR. They are now re-visiting their data protection compliance to get it right this time.
So, does GDPR still strike the same chord with people as it once did? Have we come to terms with it? Are we still rolling our eyes in distain? However one might feel, you cannot and should not, ignore the impact and continuing impact that the current data protection laws have had.
One thing is certain, whilst it may evolve and change, the core principles of GDPR are definitely here to stay for the foreseeable future.