This article was written by Mark Gracey from the Digital Compliance Hub a GDPR and data privacy support service based in Dorset.
Do you remember the first half of 2018? Everyone was GDPR crazy. Re-seeking consent emails were coming from everywhere (a lot of them unnecessarily and destroying email list subscriptions) and everyone was rushing to be GDPR compliant by GDPR-D-Day, 25th May 2018, some perhaps becoming aware of what they could and couldn’t do with data for the first time, despite the GDPR being an update to a 20 year old law in the UK (the Data Protection Act 1998).
Just over 12 months on and no one is really talking about it as a business challenge, and the most you’ll get from anyone on the mention of the data protection regulation is perhaps a moan as someone recalls the 6 month (or more) project they had to endure to get it right in the lead up to the deadline. It’s as though everyone thinks GDPR was a Y2K problem (if you’re old enough to remember 1999 and the doom predicted as computers failed to cope with the change from 1999 to 2000, with major IT failures predicted).
But it couldn’t be further from the truth. The General Data Protection Regulation (GDPR) was not a one-off compliance box-ticking exercise. Just as the Data Protection Act 1998 before it, the GDPR is here to stay for years to come until the next data protection law, and is in force, 25th May 2018, 25th May 2019, today, tomorrow, next month, next year, until a new law comes in to replace it – it’s relatively IT neutral so it’s unlikely it will need updating to keep track of new technologies and after all the GDPR is about personal data, data that identifies an individual and applies regardless of how that data is processed.
In fact, the GDPR itself sets out the ongoing compliance requirements. Article 24 sets out that those processing data must not only be able to have put measures in place to ensure GDPR compliance but also that “those measures shall be reviewed and updated where necessary“. That means we all have a duty to ensure we are always data protection compliant.
Part of the reason it’s not on business’s radar at the moment, is probably the lack of enforcement. In the first year of GDPR there were only 7 recorded GDPR enforcement actions across the whole of the EU, with the UK’s only one action being a demand to delete data rather than a formal enforcement action back in October 2018. But this is set to change, just look at the facts:
8th July 2019: ICO states its intention to fine BA £183m for website security breach
9th July 2019: ICO states its intention to fine Marriott Hotels £99m for website security issues with a company it acquired
9th July 2019: ICO publishes its first GDPR-related annual report highlighting over 41k complaints made to the ICO
Whilst it remains to be seen whether the BA and Marriott Hotels fines will actually be as big as the intentions to fine, it’s an indication the ICO (Information Commissioner’s Office – the GDPR enforcer in the UK) are getting to the GDPR side of their complaints backlog and they’re willing to flex their new found GDPR muscles when it comes to enforcement. By the way, that 41,000+ complaints were almost double what it received the year before (in a pre-GDPR world).
We shouldn’t focus on the BA and Marriott fines too much, as these are just headline grabbing numbers which the press like to report about big name businesses and the challenge for most businesses is always to understand the implications of these ICO actions on their own business. And it’s important that you do reflect on what ICO enforcement could mean for your business, because often buried within the actual enforcement notices (which the ICO publish) is a goldmine of what compliance should look like or means in practice. For example:
For the BA case (although we haven’t seen the enforcement notice yet, so don’t know the details) the indication is that the proposed fine is 1.5% of their turnover (remember the GDPR allows, under some circumstances for fines to be up to 4% of global turnover), so is this an indication that 1.5% of turnover is a fine benchmark going forward? 1.5% of turnover will hurt any business, regardless of its size
For the Marriott case (again it’s only intended enforcement, so we don’t have the details) the issue was not that Marriott will be fined for a website security issue, but that they acquired another business and their due diligence didn’t spot the security flaw, so even though Marriott weren’t the cause of the breach, they’re being held accountable for it, for the failings of someone else
But looking further afield, did you know:
The £80k fine for an estate agent in July 2019 came to be because they shared personal data via an internet server that did not have applicable security in place (for 2 years!), but not only that, the enforcement notice sets out what the ICO expected to see in terms of security of data including regular monitoring of access logs, penetration testing and employee training
The ICO published at the beginning of July, new consent rules for the use of cookies – you need GDPR-level consent now to use all but essential cookies, and by the way that includes GDPR-consent for Google Analytics cookies
A TV production company were fined £120k for failing to seek proper consent (this was “old” data protection consent, rather than GDPR as the offence was pre-May 2018) whilst filming at a clinic, using CCTV-like cameras – they had sought consent but not appropriate consent given the nature of what was being recorded and who would be affected by the recordings
A pension firm in March 2019 were fined £40k for sending out unsolicited emails using a third-party service and even after seeking advice from a consultant and law firm. Whilst this case highlighted that you’re still liable even if you can demonstrate you thought you’d got the best advice; it raises questions about how businesses are sending out their email marketing and what due diligence should be carried out against providers of marketing services
So, you see, these are just a few examples of how data protection compliance evolves over time. We’re in the early years of GDPR compliance and as the ICO (and the other EU regulators) start enforcing under GDPR we will start building a picture of what best practice should look like, and if you’re not paying attention to how the GDPR is interpreted across the EU as well as the UK, how can you be sure you are still compliant and how can you demonstrate to the ICO, should they ask, you are still compliant?
So, what should you be doing? Here’s some questions you should be asking yourself:
Are you still compliant? Have you put in place an internal process for reviewing your ongoing compliance? GDPR compliance is for life so if you haven’t updated your data audit or processing register, your processing documentation, your staff training, etc. how can you be sure you’re still GDPR compliant?
Are your internal processes still working to ensure you meet the rights of your data subjects – are you dealing with subject access requests, spotting breaches and considering whether they need reporting?
How are you making sure you are up to date in the latest developments? Bearing in mind these developments might be new ICO guidance (like the recent cookie consent changes), enforcement notices containing insight into how the GDPR is being interpreted or new sector specific codes of practice?
Do you know who you’ll turn to internally if you need help and support with a data protection issue? Is someone internally looking after ongoing compliance? Do they know how to get practical guidance externally?
If you’ve not thought anymore about GDPR compliance within your business since May 2018, maybe it’s time to revisit GDPR, get up to date and make sure you stay compliant today and into the future.
Mark’s 20+ years experience of working as a regulatory manager in the internet and telecoms sector, focusing on data protection, data retention, content liability and policy put him a unique position to offer practical data protection, GDPR and privacy compliance advice and support.
