The General Data Protection Regulation or GDPR has been in effect now for
two years. When it came into effect on 25 May 2018, it represented a major
step forward in data protection legislation and expanded significantly on
the Data Protection Act 1998 which, in turn, was derived from the EU’s 1995
Data Protection Directive.
The GDPR significantly enlarged the scope of what counted as “personal
data”, individuals or “data subjects” benefitted from new rights, and new
obligations were imposed on those using personal data, both as controllers
and as processors, with a view to enhancing the protection of this valuable
Far more so now than in 1995, personal data is very much a commodity. In
1995, for example, less than 10% of UK households had internet access. By
2010, this number had risen to over 70%, and now here in 2020, that number
is over 90%. Big tech giants with insatiable appetites for our private and
personal information simply did not exist the last time a piece of flagship
data protection legislation was crafted. The result has perhaps not struck
the right balance and has clearly had some unintended negative impacts on
much smaller organisations who now find it difficult (or perhaps too risky)
to innovate or use technologies to their full potential, but it is
nevertheless clear that change was needed.
Another much-reported side to the GDPR was penalties. In the run up to May
2018, it was difficult to find any commentary that didn’t warn of large
fines reaching up to €20m or 4% of global turnover. Small businesses feared
ruin for innocent mistakes, and a great deal of the commentary at the time
didn’t do a great deal to dispel this fear. Even the ICO themselves were at
pains to point out that they were not looking to fine everyone into
oblivion, yet few seemed to be paying attention. Two years later, and even
one of the world’s greatest tech bogeymen, Google, hasn’t felt the full
force of the GDPR’s wrath. Indeed, a €50m fine handed to it by the French
supervisory authority, CNIL, equated to a paltry 0.04% of Google’s global
Getting Started with the GDPR and Keeping Up
There was something of a scramble to prepare for the GDPR, particularly
with so many fearing harsh penalties. There was also, it must be said,
considerable confusion over the new, broad definition of “personal data”
and over important issues such as consent.
Guidance available in the early days was something of a mixed bag. Some was
new and sound, some based on supposition, some was based on the old law,
and sometimes it was difficult to tell the difference. Since then, however,
guidance on the GDPR and Data Protection Act has cleared up somewhat,
particularly from authoritative sources such as the ICO.
The question to be asking now, then, is not so much “what did we do
then?” as “what have we done since?”
Getting your business compliant back in 2018 was a great first step, but
these things do not stand still. Now is a good time to take a fresh look at
your data protection compliance, not least in light of the fresh challenges
posed by the COVID-19 pandemic and Brexit.
New and Updated Documents to Help You Along
Data Protection Audit
is a useful starting point in evaluating your data protection compliance
and should be carried out on a regular basis. Certainly, if you haven’t
undertaken one since 2018, now is a good time to get started. What’s more,
Data Protection Audit template
have been reviewed and updated both in light of best practice and in light
of the current pandemic which has resulted in a huge increase in home
There may be a certain degree of trepidation at the prospect of a data
protection audit. Perhaps you don’t want to find out that you’ve got
something wrong. This is a valid concern, but the mere act of carrying out
an audit is not going to trigger alarm bells at the ICO. Indeed, if there
are underlying flaws in your approach, the ICO would much rather you found
them and fixed them than swept them under the rug. So, celebrate the GDPR’s
second birthday with a data protection audit!
Another important aspect of ongoing data protection compliance is the
Data Protection Impact Assessment. In some cases, where a project poses a high risk to data subjects, this
exercise is a legal requirement, but it can be useful even in low-risk
scenarios. To introduce more flexibility into the equation, we have now
published a new
Short Form Data Protection Impact Assessment. The structure is the same as our existing template; however, various
sections favour an open approach in place of lists of prescribed questions.
The key topics required in a DPIA remain, but how you address those topics
can be better tailored to the particulars of your project.
It is not only businesses that have become more aware of data protection,
of course. Individuals are getting increasingly privacy savvy. One of the
key rights afforded to individuals under the GDPR is the “right of access”
– exercised by means of a subject access request. To add to, and
support, our existing
range of templates for handling SARs, we have now introduced a set of
Subject Access Request Guidance Notes, which explain the various important aspects of SARs in more detail.
May You Live in Interesting Times
May we? Mais oui! Both Brexit and the COVID-19 pandemic pose new challenges
for data protection in 2020.
On the Brexit side of things, we know that, come the end of the transition
period, the GDPR will be replaced in UK law with a “UK GDPR” – legislation
that will essentially copy the GDPR but with necessary changes to wording
such as the removal or replacement of references to EU laws, institutions,
and powers. It is also established that existing European Commission
adequacy decisions and standard contractual clauses will be recognised by
the UK. It will be possible to transfer personal data from the UK to the EU
and EEA, and to third countries covered by the adequacy decisions.
For data going the other way, however, things are not so certain. The
European Commission will need to reach an adequacy decision over UK data
protection law, and it is currently considered unlikely that this will
happen before the transition period ends. Other mechanisms, such as model
clauses or binding corporate rules, would thus be needed to move personal
data from the EU or EEA into the UK. Those businesses offering goods or
services to individuals in the EEA or monitoring their behaviour will
likely need to appoint an EEA representative.
What, then, of the coronavirus? Not only has this unprecedented situation
resulted in increased amounts of medical (i.e. “special category”) personal
data being handled within businesses, but it also means that a lot of
personal data is being processed outside of the normal secure IT
Home working presents a particular challenge where data protection is
concerned. It is important now more than ever to ensure that your staff are
trained, and that awareness is maintained. We recently published a
Home Working Data Protection Policy
with additional security measures designed with home working in mind. Our
Data Protection Audit
also include new prompts to consider the issues raised by home working.
Read All About It!
This look backward and forwards continues in more depth here on our blog. In addition to a deeper dive on the topics above, we also ask where UK
data protection regulation might go next. The UK GDPR is more or less set,
but what will come after that?
The contents of this Newsletter are for reference purposes only and do not constitute
legal advice. Independent legal advice should be sought in relation to any specific