Has much changed since GDPR-Day?

Fines

We’re still waiting to see what “GDPR fines” will look like. The Information Commissioner’s Office (ICO) continues to fine approximately three organisations a month, under older Data Protection Act 1998 and Privacy and Electronic Communications Regulations legislation. Both have a £500,000 upper limit. Equifax was the first company, ever, to get the full £500K whack in September 2018. An ICO/Financial Conduct Authority (FCA) investigation found failure with five of the eight data principles. Personal data of 15 million UK citizens was stolen from this colossal credit bureau’s U.S. systems. It is interesting to compare this against Tesco Bank’s FCA fine in October, which amounted to £16.4 million (3,300% higher!), after their payment-card processes were compromised and £2.3 million was directly stolen. Building upon fines, and potentially even more costly, we see an increasing number of law firms positioning themselves to take group action (“class action” in the United States) against such firms that fail to protect the human right to privacy. For example, Hayes Connor Solicitors has proposed, on a no-win-no-fee basis, up to £5,000 per victim that was affected by the recent British Airways website hack. 380,000 people are said to have had their payment-card details compromised, suggesting a maximum bill of nearly £2 billion; however, figures closer to £500 million also have been floated. This cost would be in addition to any GDPR fines, which could be a similar value if appropriate controls cannot be demonstrated, plus the costs of remediation, operational management, lost business, etc. We wait to see how damages will be calculated. Move over Payment Protection Insurance!

International Transfers

The European Parliament voted, on 5 July, to suspend the EU-U.S. Privacy Shield – this is one of the most commonly used safeguards when sharing personal data with the United States. However, this was a non-binding recommendation and has so far resulted in very little change. At the same time, Brexit shenanigans suggest that the UK’s data protection legislation may no longer be deemed adequate for the EU, even though “GDPR” is referenced to excess within the UK’s new legislation. Companies’ responses to both complications have ranged from “let’s wait”, to establishing Model Clause Contracts, to physically relocating businesses. Either way, these political wranglings must be proving costly for businesses, while the underlying processes and risks remain the same.

Data Subject Requests

Most companies have seen an increase in the number of requests being made. Some considerably so. The more challenging requests were often driven by pending legal action from disgruntled ex-employees or from upset customers. In the latter case, resolving the underlying issue has proved more cost effective in many cases, with some customers subsequently agreeing that they didn’t really want a data request in the first place. The benefit of ensuring that certain internal discussions are held under legal privilege is also becoming more prevalent, both in terms of dealing with the harder data subject requests and when handling security events.

Defensible Positions

The ICO doled out a £120,000 fine to Heathrow Airport Ltd, in October, for inadequate data security controls. They also took time to highlight that only 2% of HAL’s staff had been trained in data protection. We suspect this didn’t help to reduce the fine.

As the Q2 excitement around Consent and Privacy Notices dies down, demonstrable accountability remains an area that many companies are still working on. This includes training staff, appropriately documenting and assessing processes, maintaining appropriate controls, signing adequate third-party agreements and formalising governance mechanisms. Many companies are finding that they need more than just spreadsheets to achieve a position they are comfortable with. If there is a window for non-compliance with the law, beyond the two years already provided by the legal system, that window is certainly continuing to close. The ICO continue to suggest they will take a measured approach, and that companies which can demonstrate they have tried to do the right thing will come off better when things go wrong. We wait to see what level of risk appetite is deemed appropriate when the GDPR enforcement actions commence.