In May this year we saw the General Data Protection Regulation (GDPR) come in to force for organisations operating in the EU, wherever they are based. The stronger rules on data protection are meant to give people more control over their personal data, reshape the way organisations approach data privacy, and harmonise data privacy laws across Europe.
The ICO are taking action against organisations for data breaches
Being GDPR compliant is not a one-off project where you tick some boxes and are done with it. Your organisation is always evolving and therefore the activities, operations and people are too, these changes could affect whether you are still compliant and means that with these ongoing changes you will need to review how your organisation is handling data.
The ICO have undertaken enforcement action against organisations that have failed to protect the personal data of customers. These include Heathrow Airport being fined £120,000, for serious failings in its data protection practices, after they failed to ensure personal data held on its network was properly secured.
The ICO also found systematic inadequacies in the way the health insurance business Bupa safeguarded personal data. They were fined £175,000 after a member of staff tried to sell customer data online, the ICO found that Bupa had failed to recognise the risks involved. Amazon has also recently fired an employee for sharing customer email addresses to an external seller.
Enforcement from the ICO also includes organisations who have failed to pay their new data protection fee. Under the new Regulations organisations that determine the purpose for which personal data is processed (controllers), must pay a data protection fee unless they are exempt. This replaces the requirement to ‘notify’ (or register), which was in the Data Protection Act 1998 (the 1998 Act). However, the ICO website states that this doesn’t mean everyone now has to pay the new fee. Controllers who have a current registration (or notification) under the 1998 Act, do not have to pay the new fee until that registration has expired.
Rising number of complaints to the ICO
With greater media attention and the government’s advertising of GDPR, individuals have also become increasingly aware of their rights and are exercising them. The number of complaints to the ICO about potential data breaches have more than doubled since GDPR came into force.
Businesses are being held to account, especially those holding sensitive personal information are finding themselves under much scrutiny, and are the most complained about, these include financial, health and education services.
Since the introduction of the regulation it is now easier for an individual to request access to the information that an organisation holds about them, this has led to increased numbers of requests. Disgruntled individuals are prepared to use the full force that GDPR provides them with. Some organisations are struggling to manage the additional work that GDPR has created, from implementation, answering data requests to managing data breaches. This is of huge concern for businesses especially considering the size of the fines that can be imposed by the ICO.
If there is no Brexit deal what are the implications for data protection?
The government’s website states that “if the UK leaves the EU in March 2019 with no agreement in place there would be no immediate change in the UK’s own data protection standards. This is because the Data Protection Act 2018 would remain in place and the EU Withdrawal Act would incorporate the GDPR into UK law to sit alongside it.” However, organisations would need to take action to ensure EU organisations were able to continue to send you personal data.
Under GDPR all organisations should have reassessed what data they are holding and how it is used. The ICO requires organisations to be able to show how they comply with the data protection principles. If you are concerned that your business could be in breach of GDPR then contact us or visit the ICO website for more information.