At the end of May, our LawBrief, Rachel Robinson, provided a webinar about the progress of the implementation of the General Data Protection Regulation (GDPR) and recent enforcement activity of the data protection regulator, ICO (Information Commissioner’s Office).
The GDPR, which came into force on 25 May 2018 (and was implemented in the UK by the Data Protection Act 2018) obliges organisations who process personal data to only do so if they have lawful grounds for processing and have taken appropriate security and technical measures to protect that data. The GDPR introduced (among other things):
- enhanced documentation to be kept by data controllers
- enhanced Privacy Notices
- more prescriptive rules on what constitutes consent (one of the most used grounds claimed for lawful processing)
- mandatory data breach notification requirement
- enhanced rights for Data Subject (the individuals whose data is being processed)
- new obligations on Data Processors (third parties carrying out processing activities on behalf of the main party) and
- an obligation to appoint dedicated Data Protection Officers for organisations over a particular size or if carrying out systematic processing of certain types of personal data.
Also, GDPR introduced a significant increase in the size of fines and penalties that ICO can issue if organisations don’t get it right and if individuals’ personal information is at risk. If breaches of the regulations are (mainly) record keeping, contracting and security clauses, the maximum fine that ICO can levy are up to Euros 10 million or 2% of annual turnover worldwide (whichever is greater). For breaches of (mainly) basic principles, data subject access requests, transfer to third countries and non-compliance with ICO order, the maximum fine of up to Euros 20 million or 4% of annual turnover worldwide (whichever is greater).
Recent ICO activity includes fining Facebook (£0.5m), Bounty (UK) Limited (£400,000), Vote Leave Campaign (£40,000) as well as an increasing number of individuals (for unlawful data sharing/use such as sending client details to home email addresses). Until recently, offences were investigated under the previous legislation (the Data Protection Act 1998), and the fines levied were lower than they could have been under the GDPR. ICO has announced that as a result of their current investigations, higher fines can now be expected for breaches of GDPR.
Since our Webinar, ICO have published their update on their own reflections and learnings from the past twelve months, and have refreshed their Regulatory Action Policy. In their report, ICO flagged the ongoing challenges to small and medium-size businesses and organisations, including that organisations need to be able to demonstrate their compliance with the GDPR by showing their accountability and by being able to demonstrate understanding of the risks to individuals in the way they process data and showing (and acting on) how those risks should be limited.
The refreshed ICO Policy continues to follow their risk-based approach to taking regulatory action against organisations and individuals that have breached the provisions of the data protection, freedom of information and other legislation, focusing on areas of highest risk and most harm.
ICO has wide-ranging powers under various pieces of legislation, which includes (among other things) the power to
- carry out audits or “compliance assessments” of organisations;
- issue enforcement notices orders requiring specific actions to resolve breaches;
- fine organisations for breaches of GDPR;
- issue fixed penalties to organisations for failing to meet specific obligations (e.g. a failure to pay the relevant fee to the ICO); and
- prosecuting criminal offences before the courts.
Where ICO have investigated an organisation and are looking at what regulatory action to take, they can take into account aggravating and mitigating factors (activities that the organisation has carried out or has failed to carry out which might make the behaviour or outcome worse or less severe than it might have otherwise done), such as whether
- the attitude and conduct of the individual or organisation concerned suggests an intentional, wilful or negligent approach to compliance or unlawful business or operating model;
- advice, warnings, consultation feedback, conditions or guidance from the ICO has not been followed; and
- any financial (including budgetary) benefits gained or financial losses avoided by the relevant individual or organisation, directly or indirectly.
On the mitigating factors side, ICO may take into account whether
- the organisation had in place any protective or preventative measures and technology available; or
- if there was early notification by the relevant individual or organisation to the ICO of the breach or issue.
To help demonstrate compliance (and to help mitigate any fines if investigated by ICO and found to be in breach), we recommend that organisations introduce a range of policies and keep records to show that not only that they comply with GDPR, but that they are accountable for that compliance. The minimum documents recommended for most SMEs are:
- Privacy Notices (to show individuals what data is held and what is done with it)
- Data Processing Log (an internal management document under Article 30 GDPR showing the processing undertaken and decisions relating to that processing)
- Subject Access request policy (an internal policy for staff detailing how requests from individuals will be dealt with by the organisation and how to respond to a request in a GDPR compliant way)
- Data Retention policies (an internal policy for staff detailing how documents should be kept safely and securely including minimum and maximum (where applicable) durations for keeping documents to demonstrate compliance with various laws including tax and contract law as well as the destruction of documents in a GDPR compliant way)
- Data Processing Agreements (with third parties) – a requirement of the GDPR
- Data Breach Process (an internal policy for staff detailing how breaches of GDPR will be dealt with by the organisation in a GDPR compliant way)
It should be stressed that just having documents in place is not enough – organisations must be able to show that data protection is at the heart of the business and policies and procedures are supported and enforced by management, including providing ongoing training and monitoring to staff.
At LawBite, we can help guide businesses through the maze of initial compliance and with the process of remaining compliant with the GDPR obligations.
Our suite of GDPR products provides the ideal solution to get your business fully compliant.
While if you remain somewhat uncertain about your position regarding the full compliance of your data protection procedures you can check your position via our handy GDPR Checklist.
The author of this article is expert LawBrief Rachel Robinson.
Rachel has over 20 years’ experience of providing company commercial law advice, including drafting contracts, data protection and competition law to organisations of all sizes, ranging from FTSE100 companies to owner-managed small business.