Ann-Maree Blake, Data Protection and Corporate Partner
Cast your mind back to this time one year ago. Chances are your inbox was inundated with emails asking you to consent to receiving communications from a plethora of panicked companies. You and your team would have (hopefully) been in the last stages of preparing for the General Data Protection Regulation (GDPR) coming into force. The workload and energy would likely have been high, as the project, which depending on the size of your organisation may have been quite resource demanding, was coming to an end.
Almost one year on from D-Day (25 May 2018 in case you have forgotten), now is the time to reassess your data protection compliance, as complying with the GDPR principles is an ongoing process.
The fines start to roll in and big tech is the target
The first major fines for breaching the GDPR have been issued this year. In January 2019, Google was fined €50 million (£44 million) by the French data protection authority CNIL .
The fine followed complaints by privacy associations None Of Your Business (NOYB) and La Quadrature du Net (LQDN). They stated that the tech giant did not have a valid legal basis for processing the personal data of the users of its services, particularly for ads personalisation.
CNIL agreed, despite Google arguing that it did gain the required consent from users:
“First, the restricted committee observes that the users’ consent is not sufficiently informed. The information on processing operations for the ads personalisation is diluted in several documents and does not enable the user to be aware of their extent.
“Then, the restricted committee observes that the collected consent is neither ‘specific’ nor ‘unambiguous’.”
The regulator also found that Google failed to make guidance such as, the reasons for data processing, the data storage periods, or the categories of personal data used for ads personalisation, easily accessible.
NOYB has also filed complaints against Apple, Amazon, Netflix, and Spotify on the grounds that they are not complying with Article 15 of the GDPR which sets out data subject’s rights of access. This is now before the Austrian data protection regulator.
UK Organisations are falling short on GDPR compliance, particularly in relation to Data Subject Access requests (SAR)
Most organisations have implemented correct consent procedures (for example, asking website visitors to opt-in to receiving newsletters and other marketing material) but complying with SAR that seems to be causing concern.
Following CNIL’s decision, an article in the Independent stated that research showed 74% of UK organisations address requests from individuals seeking to get hold of their personal data within the one-month specified time period. The research, which is based on personal data requests made to 23 companies based or operating in the UK, found that only 17% of those surveyed complied correctly with the requests, while a further 9% gave incomplete or delayed responses.
Jean-Michel Franco, a senior director at Talend, a cloud-service provider, told the Independent that Article 15 was the “Achilles’ Heel” of most organisations when it comes to complying with GDPR.
“The world has been on tenterhooks waiting for the first major fine to be enforced for a breach of the GDPR – and this week they got what they were waiting for,” Mr Franco said. “There is a great deal of work to do in this area. A delay, or complete lack of a response, will only continue to damage free-falling consumer trust in how organisations store and organise their data.”
EU Commission’s Info-graph
The European Commission released an info-graph in January 2019 which illustrates the state of GDPR compliance, enforcement, and awareness eight months on from the regulation coming into force. Key takeaways include:
There are now several cases currently being considered across the EU.
How to ensure your GDPR compliance remains current
To ensure your GDPR compliance is up-to-date, take this time to check the following:
Like cybersecurity, data protection compliance is not a check-box exercise to be completed once every few years. Criminals are constantly developing new ways to breach even the tightest security systems. And the consequences can be catastrophic. In November 2018, Morrisons Supermarkets was held to be vicariously liable for the actions of an ex-employee who released the payroll details of almost 100,000 of his colleagues onto the dark web. The decision was made under the Data Protection Act 1998; however, it illustrates how vulnerable employers are accountable for data breaches, even when all necessary protection measures have been put in place. The Court of Appeals decision (Wm Morrisons Supermarkets Plc v Various Claimants  EWCA Civ 2339) is currently being appealed.
The recent Bounty case also shows the consequences of failing to comply with the principles of the GDPR. Bounty was fined £400,000 for breach of principle 1 of the Data Protection Act 1998 which relates to fair and lawful processing and having a specified ground or condition for processing. The Information Commissioners Office found that Bounty had shared the personal data of over 14 million individuals to a number of third party organisations, such as credit reference and marketing agencies, without providing sufficient information to individuals about this sharing. Therefore, Bounty had not been processing the data fairly, the transparency requirement was not met and any consent obtained by Bounty was not specific and informed and was not valid.
Now is the time to check where your organisation is with regards to GDPR compliance and address any known weaknesses to your systems.
Prepare the umbrella before it rains – Malay proverb