GDPR – one year on it’s not just all about emails
What have the changes, if anything been for businesses – we look at what has happened in the past 12 months and what you might have to plan for the future
It’s been almost 12 months since businesses were all panicking about GDPR, here is Q & A to bring you up to speed on General Data Protection Regulations
What type of issues were raised by businesses last year and how was Pearson able to help in the lead-up to GDPR and beyond?
GDPR is built on existing data protection law so businesses that were already well-versed in data protection were in a good position. The most common issues raised were associated with implementation of some of the new GDPR requirements and what these look like in practice.
Pearson was able to allay fears about the 'impending doom' of GDPR and put forward practical solutions for businesses to prepare for GDPR.
Since May 2018 and the implementation of GDPR, Pearson has advised on responding to data access requests, how to legitimately share data with third parties and we have also provided bespoke large-scale reviews of data processing within organisations with each one tailored according to the size and nature of the business undertaken by each organisation.
Were there key areas of activity that businesses were especially focused on?
Much of the focus of businesses was initially on customer lists and marketing information, in particular e-mail marketing. We have provided advice on GDPR and how it currently fits in with the Privacy and Electronic Communications Directive (2002/58/EC) (E-Privacy Directive), implemented by the Privacy and Electronic Communications Regulations 2003 (PECR). PECR applies to e-marketing, telephone and text marketing, cookies, security and privacy of communications networks. The E-Privacy Directive and PECR have yet to be updated to take into account the GDPR changes. However, businesses have come to realise that GDPR is not all about marketing, it applies right across operations and is now a major factor to be considered in key business decisions.
Did businesses see an increase in enquiries and requests from their customers and contacts re GDPR issues, data deletions, etc.?
Some businesses have experienced a rise in data subject access requests. These can be simple to deal with but in some cases, where the rights of different individuals have to be balanced, this can be a complex issue and therefore one requiring further advice from our team of GDPR specialists.
What was predicted pre-GDPR and what has happened since May 2018? Were scare stories used in last year’s GDPR publicity? Were warnings and advice justified or were the risks exaggerated?
What is clear is that people are more aware of their rights in relation to their personal data. This is a good thing but can be a headache for businesses when they have to respond to data access requests. In fact, a survey by Talend concluded that 70% of UK organisations could not respond to data access requests within the 1 month time limit allowed.
Whilst the big fines are so far reserved to the big players, nevertheless, the level of potential fines for non-compliance for everyone is high, and has the potential to bring a business down, either financially or in terms of its reputation. Creating public trust in an organisation's treatment of personal data should be a high priority.
Have there been any fines for any companies that have fallen foul of the law?
The first fines that were published after GDPR were actually determined under the old data protection regime. Between 2007 and 2014, Facebook processed users' personal data unfairly, allowing application developers access to their information without sufficiently clear and informed consent. One developer harvested personal data of 87 million users who knew nothing of the data transfer. Part of the data was passed to the parent company of Cambridge Analytica who were involved in U.S. political campaigning. Reflecting the seriousness of the breach, maximum fines were implemented which, under the previous legislation, were £500,000. These fines would have been much higher if they were implemented under the new law. This formed part of the ICO's investigation into data analytics for political purposes.
The Information Commissioner’s Office (ICO) has issued fines totalling £120,000 to the EU referendum campaign Leave.EU and Eldon Insurance trading as Go Skippy Insurance for serious breaches of electronic marketing laws. The ICO is set to review how both are complying with data protection laws. These monetary penalties were served under the PECR and were also part of the ICO's investigation into data analytics for political purposes.
Google has been fined 50 million euros (£44m) by the French data regulator CNIL for "lack of transparency, inadequate information and lack of valid consent regarding advert personalisation". Google is set to appeal against the ruling.
An enforcement notice was issued to a Canadian company, AggregateIQ Data Services Ltd for its use of data analytics in political campaigning and failure to have a lawful basis for processing and for processing data for purposes that data subjects were unaware of and would not expect. Again the processing was associated with links to political campaigning.
Any particular business services, sizes or sectors that have been targeted for enforcement, or at higher risk from legal action or vulnerable to falling short of the new regulations?
There have been almost 60,000 data breaches reported across the EU to the ICO and its European counterparts. The UK is third in the list of number of breaches reported. The type of breaches complained of range from emails sent to the wrong recipient to large-scale cyber attacks. Around 90 fines have been issued, but clearly there is a backlog of notifications for the European data regulators to address.
Why is professional legal advice still important?
The importance of personal data is now out in the open and people are increasingly aware of their rights. It is important for businesses to convince people that they care about data protection and therefore businesses need to be compliant. There is also a lot that is yet to be determined about how GDPR is interpreted in different situations, and the coming months and years will show interesting developments in data protection law and practice with which businesses need to keep up to date to ensure continued compliance. Pearson will continue to provide expert, practical advice in light of the ever-developing law.
Has Brexit overshadowed the importance of GDPR?
The UK Government has made it clear that post-Brexit it intends to maintain the high standards of data protection set by GDPR. Businesses which operate mainly in the UK will have to maintain current practices after Brexit. Businesses that operate in the UK and the EEA may need to comply with European law and the UK law after Brexit.
It is likely that if the UK leaves the EU with a deal then during the transition period, we will see the EU make an adequacy decision that the UK offers sufficient data protection, meaning that transfers from EEA countries to the UK do not need additional safeguards. If we leave without a deal there may be no time for that decision, and additional safeguards, including standard contractual clauses, may be required between UK businesses and those in the EU to permit transfers of data to the UK.
Transfers of personal data to the EEA from the UK should remain unaffected - the UK government has stated that they will not be restricted.
Transfers from the UK to countries outside the EEA will remain subject to similar restrictions as under GDPR.
How can Pearson help different businesses with different budgets and resources – from small SMEs to large organisations regarding GDPR?
Pearson have extensive experience of advising on data protection issues and can therefore offer a range of services from getting to grips with the basics of GDPR to carrying out a full data audit. We provide general compliance advice and also specific advice on how to respond in any given situation which concerns personal data, whether a data breach or how to respond to an access request, or how to address legitimately sharing data with other parties. We can provide standard form documents that help a business to respond to different GDPR scenarios and are ready to address any complications that arise owing to Brexit in its various potential forms.
Contact Us to learn more about GDPR
For information on GDPR and what your business needs to do speak to Ruth on 0161 785 3500
Subscribe to our newsletter
Please note that the information and opinions contained in this article are not intended to be comprehensive, nor to provide legal advice. No responsibility for its accuracy or correctness is assumed by Pearson Solicitors and Financial Advisers Ltd or any of its members or employees. Professional legal advice should be obtained before taking, or refraining from taking, any action as a result of this article.
This blog was posted some time ago and its contents may now be out of date. For the latest legal position relating to these issues, get in touch with the author - or make an enquiry now.