This week has been one very busy week for the Information Commissioner’s Office (“ICO”) with two intentions to fine being issued under the General Data Protection Regulation 2016/679 ("GDPR") and its annual report being published. At Aria Grace Law we have been keeping abreast of the ICO's activities and wanted to share our top 5 observations on the annual report that was published on 9 July 2019:
1. The ICO is acknowledging and truly embracing its powers under the GDPR and Data Protection Act 2018, including being able to issue, "no notice"assessment notices whereby it can have access to a company's data protection practices significantly faster than under the previous law. This means that organisations will have little to no time to consider and plan how to engage with the ICO before it has to hand over information on its data protection program. OUR ADVICE: make sure that you have a robust GDPR compliance program and are ready for any type of notice from the ICO.
2. The ICO is developing a stronger relationship with domestic regulators and stakeholders including Ofcom, the Financial Conduct Authority, the Competition & Markets Authority and the Pensions Regulator. This means that your organisation should be mindful of any regulatory engagement as the communication channel between regulators is becoming much clearer. We have seen the Financial Conduct Authority and the ICO work together in the past in this arena. OUR ADVICE: look at the laws and regulations that apply to your business holistically and consider where there may be cross-over between regulatory jurisdiction; be alert to the fact that that regulators will communicate with each other and entrust one senior person within your organisation to be the point of call for all regulators.
3. The ICO has been thinking about how it can ensure that its adequately resourced in order to manage the investigations, enforcement and litigation. The ICO has highlighted that it is aware that resourcing is one of the risks that it faces is due to the complex and lengthy legal proceedings in which it will have to defend its enforcement action against certain organisations (such as Facebook). OUR ADVICE: take this as a warning sign that there is to be more enforcement action on the horizon and ensure that whilst the ICO is scaling up its resources, that your organisation has a sufficient budget to deal with the GDPR compliance.
4. Cyber security is at the core of some of the most prominent personal data breaches during 2018-2019. There were 3 major fines that were issued under the Data Protection Act 1998 and were targeted at Uber, Yahoo! and Equifax. Over the last week, we have seen British Airways and Marriott International at the centre of major cyber security failures, which have resulted in the ICO issuing both of them an intention to fine as well as continuous bad press. OUR ADVICE: stay on top of the enforcement activity, read summaries (and if you have the energy, read the full notices) as the ICO is likely to expect that organisations will be following its enforcement journey and regularly reviewing advice/guidance issued to ensure best practices are applied.
5. The ICO will be publishing statutory codes during 2019 - 2020 on age appropriate design, data sharing, direct marketing and data protection and journalism. These statutory codes will be used by the ICO, courts and tribunals when taking into account whether an organisation is compliant with GDPR. OUR ADVICE: be ready to review and/or solicit advice on the codes as the difference between understanding/applying the codes versus being complacent will be a financial penalty and reputational damage.
If you have any questions or need advice in this area, please contact our data protection experts on firstname.lastname@example.org.
About Aria Grace Law: We are commercial lawyers as well as being specialists in the GDPR. We have worked with some of the world’s largest organisations advising on and putting in place cost effective GDPR compliance programs. Clients include Axiom Law, one of the world’s largest legal services providers. As well as advising on UK privacy, we also provide specialist legal advice for German and French privacy law.