13th June 2019
The EU General Data Protection Regulation (GDPR) arrived with much fanfare just over a year ago, introducing – among other things – new and enhanced rights for individuals in relation to their personal data. The UK’s Information Commissioner had this to say in her recent blog post GDPR – one year on:
“People have woken up to the new rights the GDPR delivers, with increased protection for the public and increased obligations for organisations. But there is much more still to do to build the public’s trust and confidence. With the initial hard work of preparing for and implementing the GDPR behind us, there are ongoing challenges of operationalising and normalising the new regime. This is true for businesses and organisations of all sizes.”
As we move into the second year of GDPR, the Commissioner says that the focus must be “beyond baseline compliance”:
“…organisations need to shift their focus to accountability with a real evidenced understanding of the risks to individuals in the way they process data and how those risks should be mitigated. Well-supported and resourced DPOs [data protection officers] are central to effective accountability. Strong accountability frameworks are the backbone of formalising the move of our profession away from box ticking. They reflect that people increasingly demand to be shown how their data is being used, and how it is being looked after. They are an opportunity for data protection to be an enabler of growth and innovation whilst building people’s trust and confidence in the way their information is handled.”
Specific requirements in relation to documentation and record-keeping are one part of this universal principle of accountability under the new regime. It is about being proactive, organised, evidencing the steps taken to ensure compliance and adopting a ‘data protection by design and by default’ approach – moving away from box ticking and embedding data protection considerations into the organisation’s operations.
Much of the focus and commentary has been on the eye-watering level of fines which data protection regulators can impose under GDPR – up to 4 per cent of annual global turnover or €20 million, whichever is the greater, for violations relating to fundamental failings, such as breaches of any of the basic principles for processing personal data and breaches of data subjects’ rights.
To date, the only financial penalty to meet those expectations is the record €50 million fine handed to Google LLC by France’s national data protection regulator in relation to complaints over the issue of forced consent. The company was fined for lack of transparency, inadequate information and lack of valid consent regarding ad personalisation. However, the indications are that we will soon see the first wave of post-GDPR enforcement action emerging as Europe’s data protection regulators start to complete the many investigations they have been working on over the past year.
The UK’s Information Commissioner also stresses in her more detailed update that enforcing GDPR is not just about big fines, but about using all the tools set out in the Regulatory Action Policy of the Information Commissioner’s Office’s (ICO). One of the ICO’s stated objectives is to be effective, proportionate, dissuasive and consistent in its application of sanctions, targeting its most significant powers on organisations and individuals suspected of repeated or wilful misconduct or serious failures to take proper steps to protect personal data.
In the rest of this newsletter, which is relevant for all data controllers, we take a look at two recent cases providing useful guidance on the handling of data subject access requests and the courts’ approach. We also highlight the recent dismissal of Farrow & Ball’s appeal against a penalty notice for failure to pay its data protection fee, which sets a robust tone for the enforcement of penalty notices.
Now would be a good time for organisations of all sizes to take stock, to review their policies, procedures and customer/supplier contracts, and to refresh staff training, incorporating any learning points from the past year to ensure continued GDPR compliance.
Should you have any queries or require any assistance in relation to any aspect of GDPR compliance, including conducting a data protection audit, please do not hesitate to contact Jeanette or Andrew.