The first hints of a new, tougher approach towards tackling bad practice in handing personal data are now starting to hit the headlines.
In the past few weeks, the Information Commissioner’s Office (ICO) has made public statements as to its intentions under General Data Protection Regulation (GDPR). This is not something to be taken lightly.
Although the excitement of GDPR and a new era of responsible data management did seem to be drifting more and more to the backs of everyone’s minds (after all, 25 May was two months ago) this is not the time to take your foot off the gas. It’s time to ensure your policies and procedures are fully GDPR complaint while the regulators may still be happy to advise on issues, rather than move directly to enforcement and potentially high fines.
To help with this, our GDPR Hangover post advises our client network on what measures they can take as a matter of urgency to move along the road to full compliance.
Facebook’s continuing troubles
The ICO has publicly confirmed its intention to fine Facebook under the old Data Protection Act 1998, for failing to ensure that another company, Cambridge Analytica, had deleted users’ personal data in line with Facebook’s policies and procedures. The ICO is also planning to bring a criminal action against SCL Elections, the parent company of Cambridge Analytica. This follows on from the original story about Facebook and the use of 3rd party data from earlier this year.
The ICO is intending to fine Facebook £500,000. This is the maximum that was allowed under the previous rules. If the breaches had occurred after 25 May, Facebook’s fine would have been $1.6 billion. Remember that GDPR permits regulators to fine firms either 4% of their annual global turnover or 20 million EUROS, whichever is greater.
Firms should take this public statement as a stern warning to ensure they are fully in compliance with GDPR as a matter of urgency. Thoughts that GDPR might be an anti-climax, or that regulators may take some time to begin enforcement, should be firmly ignored – the ICO will use the fullest extent of their powers when necessary.
Going after other Big Fish
Showing its determination to get the message across by even going after political parties, the ICO has made clear their views about the use of data brokers.
Data brokers are firms that gather personal information from members of the public and sell it to different organisations. So far, the ICO is already planning to fine data broker Emma’s Diary £140,000 for sharing personal data with the Labour Party, and political consultancy firm Aggregate IQ have been told they must stop processing UK citizens’ data.
The ICO has also written to the UK’s 11 main political parties, stating that they must have their data protection practices inspected. The concern is that they are holding UK citizens’ personal data without consent.
Why do I need to be concerned about this?
With huge companies like Facebook and well-known political parties being held up as examples of data protection enforcement, it may seem that your small business will fly under the ICO’s radar. It is highly unlikely that this will be the case. The ICO has taken on more staff and has greater resource and powers at its disposal than ever before.
We understand that many firms are yet to fully comply with GDPR and we have developed a specific GDPR Rescue Package for those who need to get their businesses in line quickly. We advise you to act now to ensure your policies and procedures are tight enough to meet the new requirements. Bear in mind that the ICO has seen a sharp increase in complaints about data protection breaches since GDPR came into force; the French regulator has seen a 50% increase since this time last year. There is nothing to prevent your customers from making a complaint; the only protection is ensuring you are compliant with the rules.
This is just the beginning of the new era – even if you don’t attract the ICO’s attention for a while, is it worth the risk of being fined 4% of your annual turnover or 20 million EUROS?
It may all seem quite daunting but it is more important than ever to tackle your GDPR compliance. Now is the time for ACTION and remember LawBite is here to help!
To consult with the LawBrief lawyer Barbara, please submit an enquiry for a free 15-minute consultation or call the dedicated GDPR Hotline 0845 241 1843