In an era of rapidly advanced technology, the enactment of the General Data Protection Regulation ("GDPR") has marked a real focus on the importance of data protection. With its 1 year anniversary having passed, we thought it would be important as data protection experts to provide you with an update on the impact and effect that GDPR has had in the last year. Check out our top 10 key points below and please get in touch with us on compliance@aria-grace.com if you want to discuss any of them and/or how we can help you.
(1) Legal uncertainty remains
There are still misconceptions, misunderstandings and uncertainty around GDPR, including grey areas concerning certain words and phrases such as what really does "transparency", "accountability" and "large-scale" really mean? How far does one have to go to demonstrate whether and how they are achieving compliance with GDPR? As a starting point, our advice is always that, as well as having proper policies and processes in place, organisations should document, document and finally document every-one of their key decisions in respect of GDPR so that they can demonstrate that they have truly considered GDPR and have formed a logical conclusion on a certain point. This is critical where an organisation is questioned by a regulator – as it really needs to show that it has thought about GDPR and formed a rational basis for its decisions. This could be the difference between advice from a regulator on how to proceed or a fine from a regulator – so keep documenting what you’re thinking and why to protect your organisation.
(2) Resources with specialist in-house knowledge
Devoting sufficient resources to building and/or developing a GDPR program is continuing to be a challenge for many organisations. Some have still not put aside a specific budget for GDPR readiness and management at all. We have noticed cases where newly appointed data protection officers are holding multiple hats, which actually adds to rather than mitigates a risk in respect of the management of GDPR programs. Organisations are struggling to find bona fide data protection officers who are seasoned professionals in this area. One solution to deal with this situation is to instruct external lawyers (and of course, we think Aria Grace Law), to aid you in at least initially building a GDPR program and providing you with options on how you can keep your costs down and manage your GDPR program in the long-term.
(3) Empowered data subjects and their impact has been somewhat underestimated
GDPR conferred specific rights on data subjects; some of these rights were already in place under previous legislation but were not exercised as much. For example, under the Data Protection Act 1998, data subjects could make a subject access request for £10.00 to any organisation that held their personal data. In theory, GDPR only removed the £10.00 requirement but in practice all of the press attention concerning data subjects’ rights put these rights in the forefront of everyone's mind.
We have noticed over the year that data subjects are now certainly exercising their rights and that organisations should be mindful of not only customers but also members of staff making such requests upon leaving. Organisations really need to factor in the time and cost of managing compliance in this area as it can be highly burdensome and the consequences for non-compliance are dire. Focus on keeping not only your customers but also your members of staff happy – our advice is to start and end all relationships on the best footing and keep only the personal data that is really necessary to keep, otherwise the data asset becomes a data liability.
(4) Robust contracts with third party suppliers (processors) are not optional
GDPR requires organisations to enter into certain contracts when one is a data controller and the other a data processor. We have seen that the exercise in completing this can be as time consuming as responding to data subjects exercising their rights.
There are several processors across the EEA that surprisingly still do not recognise that they need to have contractual mechanisms in place or their contracts are not compliant with GDPR. Organisations in the EEA (who are recognised as data controllers) are advised to ensure a thorough review of their contracts with their third parties whether in or out of the EEA. A more diligent approach must also be taken with processors outside of the EEA and appropriate safeguards must be put in place for the transfer of personal data outside of the EEA. One such option is the EU’s Standard Model Clauses.
(5) Employee training needs a bit more thought
One of the key principles of GDPR is the concept of privacy by default and design, requiring Organisations to put in place technical and organisational measures to ensure compliance with GDPR from the bottom up – this includes the obligation to train staff; however, we've noticed that the approach taken by organisations varies with some doing it brilliantly whereas others preferring to make things simple, albeit a bit too simple such as with a generic PowerPoint on GDPR which is circulated across an entire organisation, and some just not doing it at all. Key to managing GDPR successfully is to ensure that everyone has an awareness of it and most importantly how it affects their day-to-day activity (which requires targeted / tailor made training per function).
For the year ahead, organisations should focus on thinking about how to roll-out their annual training plan in a more effective way that makes a meaningful difference. There is definitely merit in staff knowing what to do in certain situations (i.e. especially as data subjects are able to exercise their rights in various ways and through different channels of communication including social media – so your staff need to know when a data subject has exercised their right as compliance is under strict timelines).
(6) GDPR is having a ripple effect across the globe
With GDPR having extraterritorial reach, it has been effective in its global impact on how organisations and policy-makers consider data protection. It has inspired a global movement with countries that such as Brazil, China, India and Japan proposing new legislation and/or passing new laws in this area – some of which is closely aligned to the principles in GDPR.
We have also seen that the California Consumer Privacy Act 2018, which will be applicable from 1 January 2020, has also been partly inspired by GDPR. Organisations keen to expand or already having an international presence should take note and should be mindful of any nuisances between certain countries.
(7) Regulatory action (i.e. fines) is about to really start ramping up
The total penalties imposed under GDPR added up to approximately €55 million, with a €50 million fine levied against in Google by the French data protection regulator. So far and apart from Google, no penalties have come as close to the maximum fine of €20 million or the 4% of annual revenue. However, we are of the view that this is partly because regulators have temporarily allowed organisation a bit of leeway on this front, but things are going to start changing very soon.
Data protection investigations are also extremely complex, lengthy affairs and we think that over the next 2 years, we are going to start seeing much more regulatory action as regulators will complete their investigations and start taking action. The Irish data protection regulator has already reported that it is dealing with 38 personal data breaches involving 11 multinational companies, so it is only a matter of time before it exercises its enforcement powers.
(8) Defensive data breach reporting seems a common occurrence
The UK’s data protection regulator (known as the Information Commissioner’s Office (“ICO”)) has reported a very significant increase in the number of organisations reporting data protection breaches. It has stated that on a weekly basis it receives over 500 calls to its data breach hotline and from those calls approximately 170 do not satisfy the requirements for when a data breach needs to be notified to them.
With GDPR having such an impact, it’s understandable that organisations feel it is necessary to defensively report what they believe to be a data breach. However, it is more beneficial for organisations to have a clear data breach policy and process and do a thorough fact gathering exercise and populate a well thought out data breach log – this would allow them to really apply the legal requirements to identify if the threshold has been passed whereby a regulator is to be notified.
(9) What about PECR?
The Privacy and Electronic Communications Regulations ("PECR") more often than not is in the shadow of GDPR. PECR is a separate piece of legislation and applies to the processing of personal data in the electronic communications sector and is of vital importance for organisations that conduct direct marketing, particularly email. However, over the last year, we have seen that organisations fail to truly consider and apply PECR in their marketing activities. The ICO has certainly not forgotten about PECR and has issued several enforcement notices over the last few months concerning how organisations are either failing to consider it or are not applying the law correctly. Take a look at Grove Pension Solutions Limited and Hall and Hanley Ltd as examples.
(10) Organisations are starting to see GDPR as a benefit rather than a burden
The exercise of initially becoming GDPR compliant and subsequently embedding it into an organisation's day-to-day practices is starting to be seen in a more favourable light by the majority of organisations. This is because they are seeing the value-add of data insight and how it can aid in their commercial decision making. Certain exercises required under GDPR, such as reviewing all third-party supplier arrangements is helping organisations to conduct a full inventory of their contractual relationships. The output of this is that they are really seeing what suppliers are engaged across various functions, the benefits of those relationships and whether there are any duplications in the services being provided. The positive impact of this is significant from a cost-saving perspective.
Attitudes towards GDPR have and are continuing to change for the better and our advice to organisations is to use this 1 year anniversary to conduct an annual review of their entire GDPR program (including consideration for PECR). This is important because the last thing that an organisation should do is become complacent – especially at a time that regulators are getting ready to really start using their powers. See the real benefits, avoid the regulators.
If you have any questions or need advice in this area, please contact our data protection experts on compliance@aria-grace.com.
About Aria Grace Law: We are commercial lawyers as well as being specialists in the GDPR. We have worked with some of the worlds largest organisations advising on and putting in place cost effective GDPR compliance programs. Clients include Axiom Law, one of the world’s largest legal services providers who trust us to deliver their global GDPR compliance program. As well as advising on UK privacy, we also provide specialist legal advice for German and French privacy law.