The GDPR Two Years On
The General Data Protection Regulation or GDPR has been in effect now for two years. When it came into effect on 25 May 2018, it represented a major step forward in data protection legislation and expanded significantly on the Data Protection Act 1998 which, in turn, was derived from the EU’s 1995 Data Protection Directive.
The GDPR significantly enlarged the scope of what counted as “personal data”, individuals or “data subjects” benefitted from new rights, and new obligations were imposed on those using personal data, both as controllers and as processors, with a view to enhancing the protection of this valuable commodity.
Far more so now than in 1995, personal data is very much a commodity. In 1995, for example, less than 10% of UK households had internet access. By 2010, this number had risen to over 70%, and now here in 2020, that number is over 90%. Big tech giants with insatiable appetites for our private and personal information simply did not exist the last time a piece of flagship data protection legislation was crafted. The result has perhaps not struck the right balance and has clearly had some unintended negative impacts on much smaller organisations who now find it difficult (or perhaps too risky) to innovate or use technologies to their full potential, but it is nevertheless clear that change was needed.
Another much-reported side to the GDPR was penalties. In the run up to May 2018, it was difficult to find any commentary that didn’t warn of large fines reaching up to €20m or 4% of global turnover. Small businesses feared ruin for innocent mistakes, and a great deal of the commentary at the time didn’t do a great deal to dispel this fear. Even the ICO themselves were at pains to point out that they were not looking to fine everyone into oblivion, yet few seemed to be paying attention. Two years later, and even one of the world’s greatest tech bogeymen, Google, hasn’t felt the full force of the GDPR’s wrath. Indeed, a €50m fine handed to it by the French supervisory authority, CNIL, equated to a paltry 0.04% of Google’s global turnover.
Getting Started with the GDPR and Keeping Up
There was something of a scramble to prepare for the GDPR, particularly with so many fearing harsh penalties. There was also, it must be said, considerable confusion over the new, broad definition of “personal data” and over important issues such as consent.
Guidance available in the early days was something of a mixed bag. Some was new and sound, some based on supposition, some was based on the old law, and sometimes it was difficult to tell the difference. Since then, however, guidance on the GDPR and Data Protection Act has cleared up somewhat, particularly from authoritative sources such as the ICO.
The question to be asking now, then, is not so much “what did we do then?” as “what have we done since?” Getting your business compliant back in 2018 was a great first step, but these things do not stand still. Now is a good time to take a fresh look at your data protection compliance, not least in light of the fresh challenges posed by the COVID-19 pandemic and Brexit.
New and Updated Documents to Help You Along
A Data Protection Audit is a useful starting point in evaluating your data protection compliance and should be carried out on a regular basis. Certainly, if you haven’t undertaken one since 2018, now is a good time to get started. What’s more, our Data Protection Audit template and accompanying Guidance Notes have been reviewed and updated both in light of best practice and in light of the current pandemic which has resulted in a huge increase in home working.
There may be a certain degree of trepidation at the prospect of a data protection audit. Perhaps you don’t want to find out that you’ve got something wrong. This is a valid concern, but the mere act of carrying out an audit is not going to trigger alarm bells at the ICO. Indeed, if there are underlying flaws in your approach, the ICO would much rather you found them and fixed them than swept them under the rug. So, celebrate the GDPR’s second birthday with a data protection audit!
Another important aspect of ongoing data protection compliance is the Data Protection Impact Assessment. In some cases, where a project poses a high risk to data subjects, this exercise is a legal requirement, but it can be useful even in low-risk scenarios. To introduce more flexibility into the equation, we have now published a new Short Form Data Protection Impact Assessment. The structure is the same as our existing template; however, various sections favour an open approach in place of lists of prescribed questions. The key topics required in a DPIA remain, but how you address those topics can be better tailored to the particulars of your project.
It is not only businesses that have become more aware of data protection, of course. Individuals are getting increasingly privacy savvy. One of the key rights afforded to individuals under the GDPR is the “right of access” – exercised by means of a subject access request. To add to, and support, our existing range of templates for handling SARs, we have now introduced a set of Subject Access Request Guidance Notes, which explain the various important aspects of SARs in more detail.
May You Live in Interesting Times
May we? Mais oui! Both Brexit and the COVID-19 pandemic pose new challenges for data protection in 2020.
On the Brexit side of things, we know that, come the end of the transition period, the GDPR will be replaced in UK law with a “UK GDPR” – legislation that will essentially copy the GDPR but with necessary changes to wording such as the removal or replacement of references to EU laws, institutions, and powers. It is also established that existing European Commission adequacy decisions and standard contractual clauses will be recognised by the UK. It will be possible to transfer personal data from the UK to the EU and EEA, and to third countries covered by the adequacy decisions.
For data going the other way, however, things are not so certain. The European Commission will need to reach an adequacy decision over UK data protection law, and it is currently considered unlikely that this will happen before the transition period ends. Other mechanisms, such as model clauses or binding corporate rules, would thus be needed to move personal data from the EU or EEA into the UK. Those businesses offering goods or services to individuals in the EEA or monitoring their behaviour will likely need to appoint an EEA representative.
What, then, of the coronavirus? Not only has this unprecedented situation resulted in increased amounts of medical (i.e. “special category”) personal data being handled within businesses, but it also means that a lot of personal data is being processed outside of the normal secure IT environments.
Home working presents a particular challenge where data protection is concerned. It is important now more than ever to ensure that your staff are trained, and that awareness is maintained. We recently published a Home Working Data Protection Policy with additional security measures designed with home working in mind. Our updated Data Protection Audit and accompanying Guidance Notes also include new prompts to consider the issues raised by home working.
Read All About It!
This look backward and forwards continues in more depth here on our blog. In addition to a deeper dive on the topics above, we also ask where UK data protection regulation might go next. The UK GDPR is more or less set, but what will come after that?
The contents of this Newsletter are for reference purposes only and do not constitute legal advice. Independent legal advice should be sought in relation to any specific legal matter.