Ann-Maree Blake, Data Protection and Corporate Partner
Cast your mind back to this time one year ago. Chances are your inbox was inundated with emails asking you to consent to receiving communications from a plethora of panicked companies. You and your team would have (hopefully) been in the last stages of preparing for the General Data Protection Regulation (GDPR) coming into force. The workload and energy would likely have been high, as the project, which depending on the size of your organisation may have been quite resource demanding, was coming to an end.
Almost one year on from D-Day (25 May 2018 in case you have forgotten), now is the time to reassess your data protection compliance, as complying with the GDPR principles is an ongoing process.
The fines start to roll in and big tech is the target
The first major fines for breaching the GDPR have been issued this year. In January 2019, Google was fined €50 million (£44 million) by the French data protection authority CNIL .
The fine followed complaints by privacy associations None Of Your Business (NOYB) and La Quadrature du Net (LQDN). They stated that the tech giant did not have a valid legal basis for processing the personal data of the users of its services, particularly for ads personalisation.
CNIL agreed, despite Google arguing that it did gain the required consent from users:
“First, the restricted committee observes that the users’ consent is not sufficiently informed. The information on processing operations for the ads personalisation is diluted in several documents and does not enable the user to be aware of their extent.
“Then, the restricted committee observes that the collected consent is neither ‘specific’ nor ‘unambiguous’.”
The regulator also found that Google failed to make guidance such as, the reasons for data processing, the data storage periods, or the categories of personal data used for ads personalisation, easily accessible.
NOYB has also filed complaints against Apple, Amazon, Netflix, and Spotify on the grounds that they are not complying with Article 15 of the GDPR which sets out data subject’s rights of access. This is now before the Austrian data protection regulator.
UK Organisations are falling short on GDPR compliance, particularly in relation to Data Subject Access requests (SAR)
Most organisations have implemented correct consent procedures (for example, asking website visitors to opt-in to receiving newsletters and other marketing material) but complying with SAR that seems to be causing concern.
Following CNIL’s decision, an article in the Independent stated that research showed 74% of UK organisations address requests from individuals seeking to get hold of their personal data within the one-month specified time period. The research, which is based on personal data requests made to 23 companies based or operating in the UK, found that only 17% of those surveyed complied correctly with the requests, while a further 9% gave incomplete or delayed responses.
Jean-Michel Franco, a senior director at Talend, a cloud-service provider, told the Independent that Article 15 was the “Achilles’ Heel” of most organisations when it comes to complying with GDPR.
“The world has been on tenterhooks waiting for the first major fine to be enforced for a breach of the GDPR – and this week they got what they were waiting for,” Mr Franco said. “There is a great deal of work to do in this area. A delay, or complete lack of a response, will only continue to damage free-falling consumer trust in how organisations store and organise their data.”
EU Commission’s Info-graph
The European Commission released an info-graph in January 2019 which illustrates the state of GDPR compliance, enforcement, and awareness eight months on from the regulation coming into force. Key takeaways include:
- There were 95,180 complaints to European GDPR enforcement authorities between May 2018 and January 2019
- Telemarketing, promotional emails, and video surveillance generated the most complaints
- There were 41,502 reports of data breaches
- Aside from Google’s fine, two other companies had been sanctioned – a sport’s betting café in Austria was fined €5,280 for unlawful video surveillance, and a German social network operator was fined €20,000 for not securing users’ data
There are now several cases currently being considered across the EU.
How to ensure your GDPR compliance remains current
To ensure your GDPR compliance is up-to-date, take this time to check the following:
- Data-mapping – understanding where personal data is stored is crucial in ensuring you can respond to a SAR or breach within the required time. Make sure that new data gathered over the past 11 months is recorded and stored in an accessible place.
- Data Protection Officer (DPO) – under Article 37 certain organisations must have a DPO in place. If your company has grown over the last 11 months or changed the amount or type of data it is processing, you need to revisit whether a DPO is required.
- Communication and training – is it time to have some refresher training courses on GDPR compliance, especially in relation to SAR? Perhaps new recruits have not received any guidance on your organisation’s policies and procedures. Now is the perfect time to gather feedback from staff and plan training to fill in any knowledge gaps.
- Records of data processing – do an audit of your data processing records. Under Article 30, you as the data controller are responsible for ensuring accurate records are kept. Things may have started off well, but it is easy for this type of recording to lapse over time. Make sure everything is up to date.
- Review your contracts – Are all your contracts GDPR compliant? For example, if you outsource your bookkeeping or customer serviced activities, does the supplier have adequate GDPR compliance systems in place. This requirement must be clear in your contract, with references to how compliance must be met.
- Data Protection Impact Assessments (DPIA) – if your organisation has undertaken or is planning to undertake a project that has a high risk of impacting the “rights and freedoms of a natural person” then under Article 35 a DPIA should be carried out. Make sure there are policies and procedures in place for conducting a DPIA and recording any findings.
Like cybersecurity, data protection compliance is not a check-box exercise to be completed once every few years. Criminals are constantly developing new ways to breach even the tightest security systems. And the consequences can be catastrophic. In November 2018, Morrisons Supermarkets was held to be vicariously liable for the actions of an ex-employee who released the payroll details of almost 100,000 of his colleagues onto the dark web. The decision was made under the Data Protection Act 1998; however, it illustrates how vulnerable employers are accountable for data breaches, even when all necessary protection measures have been put in place. The Court of Appeals decision (Wm Morrisons Supermarkets Plc v Various Claimants  EWCA Civ 2339) is currently being appealed.
The recent Bounty case also shows the consequences of failing to comply with the principles of the GDPR. Bounty was fined £400,000 for breach of principle 1 of the Data Protection Act 1998 which relates to fair and lawful processing and having a specified ground or condition for processing. The Information Commissioners Office found that Bounty had shared the personal data of over 14 million individuals to a number of third party organisations, such as credit reference and marketing agencies, without providing sufficient information to individuals about this sharing. Therefore, Bounty had not been processing the data fairly, the transparency requirement was not met and any consent obtained by Bounty was not specific and informed and was not valid.
Now is the time to check where your organisation is with regards to GDPR compliance and address any known weaknesses to your systems.
Prepare the umbrella before it rains – Malay proverb
If you require advice on GDPR or any other privacy or data protection matters, please get in touch with Ann-Maree Blake, a Partner in our Data Protection team.