It’s been six months since GDPR came into effect on 25th May. Despite the Y2K like panic in the run up to May, the world did not come crashing down and despite some high profile data breaches, the ICO is yet to issue its first fine under the new regime.
But what has happened in the last 6 months and what is still to come?
Over the last six months the ICO have made several updates to their online guidance, including –
A more comprehensive and in-depth analysis of what constitutes personal data has been added to the online guide and also a separate detailed publication(https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/key-definitions/what-is-personal-data/ )
Individual sections on each core principle including guidance and practical examples (https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/principles/ )
A significantly expanded section on international transfers (https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/international-transfers/)
A significantly expanded section on the exemptions (including those in schedules 2-4 of the Data Protection Act 2018 (https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/exemptions )
Updated security guidance (https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/security/)
New guidance on encryption and passwords for online services (https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/security/passwords-in-online-services/ )
The ICO have also updated their guidance on the right of erasure in respect of backups. They have confirmed that the right is also applicable to data held in backups and the updated guidance emphasises the need to ensure erasure from backup systems as well as from live systems. For delayed erasure for backups they maintain the position that it is important to put the data ‘beyond use’. https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-erasure
The ICO have also finalised the detailed guidance on children and the GDPR https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/applications/children/
The ICO have confirmed that the number of self-reported data breaches for the first half of 2018 was more that for the whole of 2017. As a result, the ICO have issued an update to remind organisations that reports only have to be made where the breach is likely to threaten an individual’s security. Organisations are encouraged to call the ICO helpline before making a report (and remember if you are in any doubt you can always ask Teal Compliance who are always on hand to help!).
On 12th November 2018, the ICO issued it’s consultation on the new proposed Direct Marketing Code https://ico.org.uk/about-the-ico/ico-and-stakeholder-consultations/call-for-views-direct-marketing-code-of-practice/
The Data Protection Act 2018 required the Commissioner to produce an improved code which provides practical guidance and promotes good practice. The new code will only cover the rules under PECR and will only be updated once the new E-Privacy Directive is finalised. The consultation is open until 24th December.
The ICO is also asking parents, carers, and those who work with children to give their views on the draft Age Appropriate Design Code which set the standards which must be followed by those who provide online services and apps for children https://ico.org.uk/about-the-ico/ico-and-stakeholder-consultations/call-for-views-age-appropriate-design-code/ – this consultation is open until 5th December 2018.
Whilst we are yet to see the first ‘GDPR’ fine, there have been a number of high profile ICO enforcement actions and some high profile Court cases in the last six months.
WM Morrisons Supermarkets Plc v Various – the Court of Appeal ruled that the supermarket must pay compensation to thousands of employees who were victims of a data beach in 2014. The High Court ruled in 2017 that the supermarket was vicariously liable for this breach so Morrisons took the claim to the Court of Appeal. Morrisons had argued that they should not be liable for this breach because they had safeguards in place to protect the data. This stance was challenged by more than 5,000 past and current staff. Morrisons have indicated that they will now take the decision to the Supreme Court. This is a stark warning to employers that they can be held viciously liable for data breaches caused by employees even if they have appropriate safeguards in place.
Lloyd v Google LLC – the High Court has refused to grant leave to serve a claim form on Google Inc outside the English Jurisdiction in relation to the ‘Safari workaround’ which involved Google allegedly using cookie technology on the iPhone safari browser to obtain browser-generated information about iPhone users between 2011-2012 without their knowledge.
ICO Prosecution under the Computer Misuse Act 1990 – a motor industry employee has received a six month prison sentence following the first prosecution to be brought by the ICO under the Computer Misuse Act 1990. The worker, who was employed by Nationwide Accident Repair Services accessed thousands of customer records containing personal data without permission, using his colleagues’ log-on details to access the Audatex system. He then continued to do this when he changed employer. Confiscation proceedings under the Proceeds of Crime Act are in progress to recover any benefit obtained as a result of the offending.
Metropolitan Police 16th November 2018 – issued an enforcement notice on concerns relating to the Gangs Matrix
Facebook Ireland Ltd – 24th October 2018 – £500,000 fine for breaches of data protection law
Heathrow Airport – 8th October 2018 – £120,000 fine for failing to ensure the security of personal data
Equifax Ltd – 20th September 2018 – £500,000 fine for failing to protect personal data relating to a cyber attack in 2017
Bupa Insurance Services Ltd – 28th September 2018 – £175,000 for failing to have effective security measures in place
In addition, there have been a number of fines relating to nuisance emails/calls –
Secure Home Systems £80,000 (for 84,347 nuisance calls to TPS subscribers)
ACT Response Ltd £140,000 (for 496,455 nuisance calls to TPS subscribers)
Boost Finance Ltd £90,000 (for nuisance emails about pre-paid funeral plans)
Oaklands Assist UK Ltd £150,000 for nuisance direct marketing calls
All of these cases highlight that ICO will act where it becomes aware of a data breach or due to breaches of PECR so it’s more important than even to make sure that your processes are up to date being used by your employees AND just as importantly that you have all the documentation you need to demonstrate accountability just in case the ICO do get in touch with you.
The controversial update to PECR is experiencing further delays and is now not expected to be ready until Spring 2020. Keep an eye on our website for the latest updates.
Contact Teal Compliance at firstname.lastname@example.org if you have any data related questions. An initial call is always free.