After a long build-up, a great deal of commentary, fear, and anticipation, the EU’s General Data Protection Regulation or “GDPR” came into effect on 25 May 2018. At the time, a great deal of attention was focused on the wider scope of the GDPR and, in particular, how “personal data” was defined. Individuals or “data subjects” had more and better rights bestowed upon them, and any organisation that breached those rights would face tough new penalties.
So, what actually happened? At the time, many businesses scrambled to become compliant with the new GDPR regime. Inboxes throughout Europe and beyond became clogged with messages about updated privacy policies. Internet users suddenly found their favourite websites blocked because American companies either didn’t know how to comply with the GDPR or didn’t want to. Far from being taken as a (mostly) sensible and practical evolution of existing data protection legislation, the GDPR became a source of fear for many. Scarcely an article about it could be found that didn’t talk of fines reaching into the tens of millions.
The GDPR itself requires the European Commission to review it every two years. Here in 2020, the outcome of that review is now due and should have been published in April, but at the time of writing, it is now expected in June. Now is also a good time for businesses and other organisations handling personal data to review the GDPR themselves.
- After getting compliant in 2018, have you stayed compliant since?
- There was considerable confusion around the GDPR two years ago; have things been clarified?
- Has the GDPR been a success; is people’s personal data safer and have organisations taken more steps to truly protect privacy?
- Has there been a wider impact; what happened to all those American websites that cut us off?
- Has the GDPR been a force for change in other jurisdictions?
Moreover, as the oft-falsely attributed curse goes, may you live in interesting times. Both Brexit and the COVID-19 pandemic are significantly changing the business and legal landscape, not least where data protection is concerned.
In this post, we will take a look at the GDPR two years on, discussing those questions above (if not providing definitive answers!), and considering where we go from here. Whatever shape the UK’s domestic data protection legislation takes (initially as the “UK GDPR”), the EU GDPR and indeed the EU itself will remain central to many business’ compliance after the transition period ends. Meanwhile, the prevalence of home working and the increase in sensitive medical data changing hands within organisations as the world endeavours to press on through the coronavirus pandemic, also raise important issues that were unforeseen just two short years ago.
What did the GDPR ever do for us?
Data protection legislation is still, in the grand scheme of things, in its relative infancy. Privacy has been protected to some degree by law for much longer, but the first Data Protection Act in the UK only dates back to 1984. This was succeeded by the Data Protection Act 1998, and again by the Data Protection Act 2018 and the GDPR.
Technology, particularly the internet, has been a major catalyst for the development of data protection law. In the mid-1990s, the internet was still quite new, but the implications for privacy and the widespread use of personal data were clearly recognised from an early stage. The EU passed its Data Protection Directive in 1995, setting out minimum data privacy and security standards. Being a Directive, it was then up to EU Member States to implement it through their own domestic legislation and, thus, the Data Protection Act 1998 was born.
As the world settled into the 21st Century, the internet’s appetite for personal data stepped up the pace. In 2010, the European Commission adopted a communication entitled “A comprehensive approach on personal data protection in the European Union” and so began the work to update the 1995 Directive and, considering the growth of the internet, not before time. In 1995 less than 10% of UK households had internet access. By 2010, this number had risen to over 70%. In 2016, the General Data Protection Regulation was born, due to enter into effect in all EU Member States on 25 May 2018.
The definition of “personal data” expanded significantly to include not only the obvious forms of personal data such as names and contact details, but also less obvious – at first glance, anonymous – forms of data such as IP addresses. The amount of information to be provided to data subjects was increased, and rules surrounding consent where tightened up. Greater emphasis was placed on accountability and record-keeping, and higher standards for “lawful processing” applied.
The GDPR also brought with it a much greater territorial scope than had been seen before. Simply put, if an organisation processed the personal data of anyone residing within the EU, regardless of that organisation’s location, the GDPR applied.
More information was required to be given to individuals when collecting their personal data. This requirement was designed to promote transparency, ensuring that individuals were more informed about what their personal data was being used for, how, why, and what rights they had in relation to that. In practice, it also triggered a veritable blizzard of “we have updated our privacy policy” emails.
The GDPR was designed to raise both standards and hurdles when it came to the use of personal data. In particular, new rules over consent were introduced, including a stricter standard for consent. Consent and explicit consent would now require a clear affirmative action from the individual. Consent would now have to be freely given, specific, informed, and unambiguous. Data controllers were also now required to make it easy to withdraw consent at any time and, unless they had another legal basis on which to continue using the personal data in question, would have to cease using it upon such withdrawal.
Not only were the requirements for consent toughened up, but so were other lawful bases for personal data processing such as “legitimate interests”. Under the old Data Protection Act 1998 regime, the UK had taken a rather generous position on this particular basis, but the GDPR narrowed things down, placing a stricter emphasis on ensuring that such interests were not overridden by the rights and freedoms of data subjects.
Key new rights were bestowed upon individuals, not least the so-called “right to be forgotten”, which gave individuals the right to require organisations to delete all personal data relating to them. In practice, particularly with so much data being backed up in various forms and spread across multiple systems, the prospect of complying with this right was a source of considerable concern for many.
New requirements concerning accountability were introduced. Chief among these were the requirement to notify supervisory authorities (such as the ICO) of data breaches within 72 hours if the breach was likely to pose a risk to the rights and freedoms of individuals. Where there was a high risk that the rights and freedoms of individuals would be adversely affected, the individuals themselves were also to be notified. The GDPR also introduced new requirements relating to Data Protection Officers, making it mandatory for a wide range of organisations to appoint one. Also important under the heading of accountability was record keeping. Even in situations where a decision had been made to not do something, for example, because of a low risk to individuals’ rights, it would need to be documented.
How Did We React?
The majority of news items about the new GDPR were keen to emphasise one element above all others: the fines and penalties. In broad terms, the GDPR introduced two categories of fines, the highest of which could reach up to €20m or up to 4% of an organisation’s total worldwide turnover, whichever was higher. Cooler heads remarked that for many businesses that were already taking their Data Protection Act 1998 compliance seriously, there was little need to worry and that the change was easily manageable. Nevertheless, predictions of doom persisted.
Many were also confused about their obligations, leading in some cases to over-reactions and in others, to apathy. The over-emphasis in commentary on topics such as consent, for example, even led some to believe that it was now the only basis upon which they could use any personal data. Particularly for online operations in the US, so demanding and threatening was the GDPR that the preferred choice was simply to block all EU-based users from their websites.
Further concern stemmed from the fact that a great deal of guidance on data protection, including some of that available from official bodies, was outdated, referring only to the Data Protection Act 1998 / Data Protection Directive 1995 regime.
Where Are We Now?
What happened to all those huge fines that were going to put everyone out of business? There have certainly been fines, but, as the ICO was keen to point out in its blog post GDPR – sorting the fact from the fiction back in August 2017, “it’s scaremongering to suggest that we’ll be making early examples of organisations for minor infringements or that maximum fines will become the norm…Issuing fines has always been and will continue to be, a last resort…we intend to use those powers proportionately and judiciously.”
There have been some big fines, certainly, but looking at them more closely, they are still far from the top end. The French supervisory authority, CNIL, issued a €50m fine to Google. This, however, amounted to a mere 0.04% of Google’s global turnover – arguably more the cost of doing business than a deterrent. Last year, the ICO announced its intention to fine British Airways £183.39m in relation to a cyber incident which took place in 2018. Again, big money, but only equal to around 1.5% of BA’s global turnover. Moreover, at the time of writing, BA has not yet been issued the fine after a series of delays and there are now questions over whether the ICO may take the financial impact of the COVID-19 pandemic into account, the effect of which would presumably be to reduce the fine or perhaps defer it.
The fines may not have turned out to be as bad as feared, but does this mean that people’s personal data is better protected? Is the GDPR doing its job? Certainly, awareness is much higher, even outside of the UK and EU. Some of the biggest names in technology have adopted GDPR standards of data protection worldwide, rather than focusing only on Europe. Small businesses that might previously have overlooked data protection entirely are now keen to get their privacy policies in place, and it is clear that the GDPR itself prompted a surge of updates to business practices and documentation, both inwardly and outwardly.
Moreover, much more useful guidance has emerged over the past two years, including comprehensive guidance on compliance from bodies such as the ICO, and certain issues that caused confusion in the early days have been clarified.
Has it all been good news, however? It would be difficult to argue that this is the case. The GDPR continues to be a source of uncertainty and increased costs, particularly where technology is concerned and in areas such as analytics and ad tech. A 2019 survey conducted by German trade association, Bitkom, found that for many, the GDPR represents a barrier to innovation, particularly where new technologies are concerned. Nor is it necessarily ideal for individuals, many of whom have long since tired of emails informing them of privacy policy changes. Moreover, while many have heard of the GDPR, it is at the very least open to question how many of those people really understand what it means for them. Then, there is also the issue noted above – the geo-blocking of online content, particularly from the US – solely on GDPR compliance grounds. One must ask whether this is a benefit to individuals at all. It will be interesting to see if the Commission’s review considers such real-world impacts and, if so, what improvements may emerge.
What Did You Do Back in 2018?
Two years feels like a long time. Longer now, probably, given that the past two months have felt like an eternity as the world collectively hangs on the pause button. The advent of the GDPR caused no small amount of panic. Many scrambled to make their businesses compliant in time for the 25 May 2018 deadline that loomed like a threatening spectre.
Since then, however, the important question has become not so much “how did we do then?” as “how have we done since?”. Getting your business compliant in 2018 was but the first step of what a less jaded author might call your “GDPR journey”. Now that things have had time to settle down and guidance has become more widespread and fleshed-out, it is an ideal time to take a fresh look at data protection within your business. As a starting point, consider these questions:
- Am I maintaining awareness of data protection within my business?
- Have the changes I made in 2018 been successful? What could I do better?
- Is my privacy information up-to-date and is it easily accessible?
- Am I keeping proper records? Is there any way I can improve upon them?
- Have I had any data breaches? Have they been handled properly?
- Am I being proactive about data protection when considering new uses of personal data?
A Data Protection Audit is a useful exercise to carry out on a regular basis as it prompts you to ask and answer questions like these in more detail, considering all aspects of your business’s data protection compliance. If you haven’t carried one out before or perhaps haven’t carried one out since preparing for the GDPR, now is a good time to get started. It might also be the case that you have avoided an audit because you are afraid of what it might turn up. That is not an invalid concern but consider this – it is an internal exercise and the ICO would rather you identified your weaknesses and fixed them than ignored them. You aren’t going to get a €20m fine landing in your lap because your internal audit identified room for improvement or even outright failings. It is better to find out what is wrong and fix it, so cast aside the fear and get going!
Another side to ongoing compliance is the Data Protection Impact Assessment. A DPIA is a valuable (and indeed mandatory in some cases) tool which helps you to evaluate new projects from a data protection perspective, identifying and minimising the risks from a variety of angles. Again, a DPIA is not an exercise that should be carried out once and forgotten about. A system, product, or feature that began as a new project back in 2018 will quite possibly have changed in some way since then. Perhaps without even realising it, the way in which you collect, use, or store the personal data involved has changed. DPIAs should, therefore, be regularly reviewed and repeated if necessary.
The Picture in 2020
Brexit and Data Protection
Until recently, one of the biggest topics up for discussion in data protection circles was Brexit. We know that, at the end of the transition period, the EU GDPR will cease to apply in the UK and that it will be replaced with a “UK GDPR” – a direct copy in many respects, with necessary contextual changes to accommodate its status as a solely domestic instrument (references to EU laws, institutions, and powers, for example, will be removed or replaced with UK equivalents).
We also know that, whatever the outcome of Brexit, it will remain possible to transfer personal data to the EU and EEA and to “third countries” covered by an existing EU Commission adequacy decision without constraint, as is the case now. Not only that, but the UK will also recognise the current EU Standard Contractual Clauses as a valid mechanism for international transfers of personal data.
We do not, however, know what the UK’s status will be from the European perspective. Despite the similarities in our data protection legislation, the European Commission must still assess the UK’s post-Brexit data protection framework and grant an adequacy decision in order for personal data to flow as freely into the UK from the EU and EEA as it can in the other direction. It is far from certain that an adequacy decision will be made before the end of the transition period.
If an adequacy decision is not granted before the end of the transition period – and many commentators think it unlikely that one will be – other safeguards will be needed to cover personal data moving from the EU into the UK such as the aforementioned Standard Contractual Clauses or binding corporate rules (to name just two examples). Another key change to data protection compliance will be the need to appoint an EEA representative from the end of the transition period if your organisation offers goods or services to individuals in the EEA or monitors their behaviour.
Home is where the Work Is – Data Protection and COVID-19
Just a few short months ago, we might have thought it impossible that any subject could knock Brexit of the top spot of things we were tired of hearing and worrying about, but along came the coronavirus, making Brexit look like proverbial small potatoes.
From a data protection perspective, the pandemic has resulted in a rapid increase in medical data changing hands within businesses of all shapes and sizes. Medical information is, of course, “special category” (formerly “sensitive”) personal data and thus requires greater levels of care and security. Not only that, but such data is also moving around in an inherently less secure environment in many cases. Instead of being confined to secure and tightly-controlled networks and equipment that is constantly kept up to date with the latest security patches and new software, business personal data is now finding itself residing on home computer systems and home networks – some lacking in the latest security software (or indeed any at all), left vulnerable by older equipment and weak passwords. Other security threats are also seeking to exploit the decline in secure IT environments with activities such as phishing reportedly (and dramatically) on the rise.
Not only does the increase in home working pose potential security threats, but it may also make it harder for some organisations to comply with requests from individuals to exercise their rights. With personal data less centralised, for example, it may be harder to locate it in response to a subject access request.
Maintaining awareness and providing regular training is essential in overcoming such new challenges. Having an up to date Data Protection Policy can help to underpin your staff’s knowledge and serve as a reminder of things that, again, might have been fresh back in 2018 but may have given way to complacency or simple forgetfulness by now. Where possible, other practical steps such as the use of VPNs and the issuing of centrally administered computers and other devices can be taken to help reduce the risks associated with individual staff working with personal data on their own devices.
Such challenging circumstances will undoubtedly make assessing the GDPR’s success a harder exercise, both for regulators and for organisations. It remains vitally important to protect personal data and to use it lawfully, fairly, and transparently. At this point, no virus-specific changes are planned for data protection law and it is doubtful that they will be. What is important to note, however, is that authorities such as the ICO are not oblivious to the difficulties. The ICO recently issued a statement reassuring us all that while the law itself remains unchanged, “We understand that resources…might be diverted away from usual compliance or information governance…We won’t penalise organisations that we know need to prioritise other areas or adapt their usual approach during this extraordinary period.” In short, keep calm and carry on!
Where To?
It is clear that while data protection regulation has evolved to keep up with modern technology and contemporary uses of personal data, there remain many problems. Perhaps the greatest of these is that the law appears to be too heavy handed. The law and technology have been at odds in many areas for a long time, and this shows no signs of abating.
Business, technology, and the law itself need to evolve to accommodate one another. Whether or not they will is a different matter. It does seem evident, however, that this is understood on all sides. Enforcement powers and penalties exist to punish those who break the rules knowingly or carelessly and put the rights and freedoms of individuals at risk. Does this mean that small businesses will be fined for innovating? Arguably not.
It will be particularly interesting to see how the UK’s data protection laws evolve after Brexit. While keeping closely in tune with EU legislation, it is arguable that a desire to make the UK an attractive economy for innovation and investment in technology may lead to new developments in the data protection framework. The UK GDPR will be the same as the EU GDPR for all intents and purposes – particularly from the SME perspective – but what comes next will make for interesting viewing.