During the first quarter of 2018 we were inundated as consumers with an acronym that almost seemed to define our lives: GDPR, the General Data Protection Regulations that came into force on 25th May 2018. They were enacted into UK Law by the Data Protection Act 2018. We were being asked if we were happy to continue to receive emails and if we were happy for businesses to hold out information and we were being sent data privacy statements as if all of this would help the business comply with the new regulation.
Consent was king, it seemed none of these organisations had tested whether there was a legitimate business reason for controlling and processing the data.
Under GDPR, personal data is any information relating to an identified or identifiable natural person, which means someone who can be directly or indirectly identified.
What else has happened in the last year, what impact has GDPR had and are there any lessons to be learned from the last 12 months?
However, the number of data subject access requests continues to increase unabated.
This was a Europe-wide regulation so let’s start with a summary of the whole picture across Europe, source iapp.org:
- GDPR enforcement actions have resulted in fines in excess of €56,000,000
- Over 280 cases have involved cross border activity
- There have been 64,000+ data breach notifications to DPAs
- Over 94,000 individual complaints have been received
- Data Protection Agencies have received over 200,000 cases
- Over 375,000 organisations have registered a Data Protection Officer
It can be seen that GDPR has had an affect across the EU. The UK’s Data Protection Authority (DPA), the Information Commissioners Office, has been busy too. In addition to publishing and updating guidance on its website, it has been involved in enforcement actions, one of which is highlighted below. Despite the guidance from the ICO, many businesses felt overwhelmed by the sheer volume of information they received about GDPR that they could not assess how the new regulation affected them. However. With the onslaught of similar communications from disparate organisations, the public grasped the essence of the new regulation resulting in an increase in complaints about data breaches to the ICO by 160% in the first six weeks of the new regulation alone.
In October 2018, the ICO issued its first enforcement notice under GDPR. This was against the Canadian data services firm, AggregateI Q (AIQ).
AIQ’s breaches of the GDPR relate to its use of personal data of UK individuals in connection with its business of providing data services to political organisations. Specifically, AIQ used this data to target individuals with political advertising on social media. This is linked to the issues surrounding Facebook and Cambridge Analytica.
The specific GDPR breaches were as follows, AIQ processed personal data:
- without a lawful basis for that processing (principle a);
- in a way that the data subjects were not aware of, for purposes which they would not have expected (principle b); and
- that was incompatible with the purposes for which the data was originally collected (principle b).
Recurring themes
The recurring themes of complaints to the ICO, and DPAs in general are transparency and consent. In financial services, we have a legitimate business reason to control and process client data. Many firms in our sector have updated their terms of business to incorporate the requirements of GDPR, we are, in this respect, in the mindset of a highly regulated industry and geared to reacting to changes in regulation.
It is worth looking at a couple of examples from outside of financial services to understand how other sectors have not implemented the regulation as DPAs expected:
- In September 2018 an internet browser filed a complaint with the ICO and the Data Protection Commission (the Irish DPA) regarding the advertising industry. The main thrust of the complaint was a lack of transparency information provided to website users about how data collected was used to build profiles and target advertising.
- In November 2018, Privacy International filed complaints in the UK, France and Ireland in respect of two data brokers, two credit reference agencies and three advertising technology companies challenging the valid legal basis for these companies to be processing data based on the transparency information provided to individuals.
One of the key themes is the level of detail that is expected to be included in the transparency information provided to data subjects. For example, in its statement on the Google fine, the CNIL (the French DPA) said that Google’s “purposes of processing are described in a too generic and vague manner”, and “that the information about the retention period is not provided for some data“. An Italian lawyer was quoted as saying “it is likely that a number of businesses are similarly vague in their privacy policies (if not more so); businesses should be looking again at their privacy policies in light of the CNIL’s decision to see if there is any scope for making them more specific”.
Data Subject Access Requests
As we are aware, GDPR granted our clients greater rights over their personal data, including:
- rights of access;
- rights of erasure;
- rights of portability
- rights of rectification; and
- rights to be informed
After the inception of GDPR there was a perceptible increase in the number of requests from individuals for erasure of their data which slowed down at the turn of the year. However, the number of data subject access requests continues to increase unabated. As a reminder, a data subject access request needs to be responded to within 30 days and unless requests are repeated and vexatious, no charge can be levied for providing the information.
Who is a data subject?
It is worth pausing to remind ourselves that it not just our clients or customers who are data subjects. A data subject under GDPR is any person whose personal data is being collected, held or processed. Therefore, the following groups are potentially data subjects:
- Staff
- Clients and customers
- Contractors
- Consultants
- Suppliers
What to consider
As regulated firms in Financial Services, we have two regulators looking at our compliance with GDPR, the ICO and the FCA. There is no room to rest on our laurels. The final graphic illustrates five issues you should consider, both now and on an ongoing basis.
GDPR has been with us for a year and best practice will evolve over time, keep this in mind when reviewing the processes and procedures, systems and controls in your firm. Make sure everyone knows their responsibilities and accountabilities.
Check Policies and Procedures
Do they reflect best practice?
Do they need updating regarding transparency?
Does your Terms of Business need updating?
Do they include provisions for processing DSARs?
Review Contracts with suppliers
Do they comply with the requirements of GDPR?
Do they incorporate the rules about transferring personal data outside of the EU?
Privacy Impact Statements
A key philosophy of GDPR is privacy by design
Have you undertaken privacy impact assessments where relevant?
Do these require periodic updating
Staff Training
Is data security part of regular ongoing training
Do your staff need a refresher
Is the training tailored so that staff that regularly handle personal data receive a more in-depth course or module?
Security breaches
Are you comfortable that staff know what to do in the event of a security breach?
Do they know who to report to, does everyone know who the DPO or equivalent is
Has this been discussed at Board or Senior Management level so that everyone knows their responsibilities