GDPR: 12 months on, 12 Takeaways

United Kingdom

Some commentators were expecting the GDPR to be the new Y2K, and others the dawning of the data apocalypse. The reality has been less dramatic, but has nonetheless brought a range of challenges and lessons learned. Here are our 12 takeaways on the GDPR 12 months on, each to be enjoyed with a catchy entertainment-related pun.

1. Show me the money!

Administrative fines

So far, European regulators have used their enforcement powers to levy fines totalling over €56 million against 91 companies (including €50 million against a single organisation) (EDPB Report, February 2019). That may sound like a lot but, with the exception of the €50 million Google CNIL fine (which Google is currently appealing), these have all been fairly conservative and nowhere near the maximum level of fines that the regulators are able to order.

However, it looks like the honeymoon period may be over, as a number of European regulators, including the Irish Data Protection Commissioner, have foreshadowed that further big fines are on the way.

2. Frozen

Stop processing orders

Fines are not the only enforcement action that can be taken. The UK Information Commissioner’s Office (ICO) and the French regulator, the CNIL, have issued stop processing notices requiring organisations to stop infringing processing activities.

The ICO required HMRC to delete all the biometric data that it collected in relation to its new Voice ID system without explicit consent because it failed to give customers sufficient information about how their biometric data would be processed using this system and failed to give them the chance to give or withhold consent.

The CNIL ordered Vectaury (a demand-side mobile ad platform) to stop processing that did not meet the requirements for valid consent and to delete all data it had not already deleted (having judged collection non-compliant given consent was not valid).

These types of orders are a powerful weapon given how disruptive and costly to an organisation it can be to have to stop a core business activity.

3. Honey, I Shrunk the Marketing Database!

Re-consents

Everyone remembers around this time last year being inundated with emails saying “You must re-consent or you’ll never hear from us again!” Many businesses lost a huge proportion of their marketing databases by attempting to re-consent when this may not have even been required, for example if a combination of “legitimate interests” under GDPR and “soft opt-in” under ePrivacy rules could be relied on.

Some businesses were not overly concerned and saw this as an opportunity to cleanse redundant data and build a better quality database from the ground up. However, for others the impact was devastating and it may be that we see some businesses looking to seek recourse for negligent advice received on this issue.

4. To agree or not to agree (that is the question)?

Consent

There have been a growing number of complaints regarding invalid consent or other legal bases. For example, the French CNIL’s €50 million fine against Google Inc and Privacy International’s complaints against data brokers, credit reference agencies and ad tech companies, and the Vectaury decision mentioned above.

These cases are confirming the importance of undertaking a careful analysis of the available legal bases for processing and deciding which best fit your processing activities. Furthermore, individuals need to have a reasonable level of choice and control over how their data is used.

5. Clear and Present Danger

Transparency

Similarly, lack of transparency has been a key theme in complaints and enforcement action so far. The fact that a business’ processing activities are complex does not excuse it from having to explain in clear terms to individuals how it uses their personal data.

No one is questioning the challenge for big technology companies that have a complex ecosystem of products or for emerging technologies such as Artificial Intelligence and Big Data-powered solutions to explain how these work from a personal data perspective. However, the message seems to be that organisations cannot seek to hide behind impenetrable privacy notices where, if individuals properly understood the full picture, they may make different choices in relation to the information they provide to organisations and/or the organisations they deal with.

6. Misery

Personal data breaches

The numbers of personal data breaches reported to regulators and to affected individuals has significantly increased, primarily as a result of the new mandatory breach reporting regime. According to the IAPP, more than 89,000 data breaches have been reported to the various EEA regulators in the last year. Towards the end of 2018, the ICO had already had in excess of 8,000 data breaches reported to it.

According to the EDPS report mentioned above, around 1/3 of post-GDPR EEA regulator enforcement cases initiated as a result of a data breach report. One more is likely to be the much-publicised British Airways hack, which compromised customer account data, including payment details. One of the issues for determination in that case is whether this will be treated as a personal data breach under GDPR or under the previous legislation given that one of the relevant security incidents from which the recent breach stemmed occurred pre-GDPR.

In the meantime, many businesses are still grappling with some of the practical issues around the stricter breach reporting regime, such as when the clock actually starts on the 72 hour time limit for reporting personal data breaches to the data protection regulator.

7. GDPR Attacks

Territorial scope

The territorial scope provisions of the GDPR mean that organisations established outside the EU may still be within the reach of EU regulators if they direct goods / services at individuals, or monitor their behaviour, in the EU. For example, the CNIL took regulatory action against Google’s US company on the basis that it was understood to be where the key decisions as to the purposes and means of processing were made. Google has since indicated its Irish entity as its main establishment for GDPR purposes.

Accordingly, international businesses need to be wary of these long-arm provisions. It is also important that they understand that liability and accountability for data protection compliance may follow the entity that makes the decisions on the purposes and means of processing personal data, which may be a non-EEA entity (even if the organisation has entities within the EEA, but these do not make those key decisions).

8. (Article) 28 Days later

Processor contracts

The Dutch regulator has undertaken an exploratory investigation to assess whether 30 large organisations, across a broad spread of sectors, complied with the GDPR. As part of this, the Dutch regulator requested various organisations’ data processing agreements and details relating to the processing activities, retention periods and security. Supply chains can also be targets in cyber breaches and so the Dutch regulator also requested the various private organisations to provide the agreements in place with the third parties that process personal data on their behalf.

It may be that other regulators follow suit, so controllers should ensure that their contracts with service providers include the mandatory Article 28 processor terms.

9. Humans

Data subject rights

Many of our clients have noticed a spike in the number of data subject requests received post-GDPR, in particular requests made in conjunction with litigation or employment disputes. This reflects IAPP research, which found that EEA regulators had received more than 144,000 individual complaints, many of which related to data subject rights.

This increase is likely spurred by greater consumer awareness (and in some cases misunderstanding) of the relevant regulatory requirements, and the prohibition under the GDPR in charging a fee in most circumstances. If volumes of subject access requests are an issue, businesses may find it worthwhile investing in self-service solutions that enable individuals to access information themselves where this is feasible.

In addition, consumer groups are gaining traction in bringing complaints to regulators on behalf of groups of individuals for the purported infringement of their data protection rights (e.g. Privacy International and NOYB).

10. Le Divorce

Brexit

The ICO has issued detailed guidance on what to do when the UK becomes a “third country” for the purposes of international data transfers under the GDPR to ensure that data can continue to flow between the EU and the UK. For many EU businesses, this may mean putting in place European Commission-approved standard contractual clauses to enable personal data to be exported to the UK compliantly with the GDPR requirements.

The US Department of Commerce has also issued guidance on the updates that need to be made to EU-US Privacy Shield certifications to ensure that organisations that rely on that regime can continue to receive personal data from the UK.

11. The Good, the Bad and the Ugly

Ethics

Ethics is a recurring theme with the regulators and becoming increasingly important to ensuring the sustainability of businesses’ data strategies.

Having an Ethics Board as part of your governance framework is a good way of ensuring that the individual is put at the heart of everything you do with personal data.

12. A (Data Protection) Officer and a Gentleman

Data protection officers

For organisations that carry out certain types of processing activities it is mandatory to appoint a data protection officer (DPO). According to IAPP research, more than 500,000 organisations are estimated to have registered DPOs in the last year.

The DPO has specific responsibilities under the GDPR and reports directly to the Board. This means that data protection compliance is receiving Board level attention but organisations will need to ensure that they appropriately resource and support their DPO, who is likely to be extremely busy keeping on top of all of their prescribed tasks under the GDPR.