The new legislation was heralded as an important evolution in the protection of personal data, but, one year later, has anything significantly changed? As with so many things related to the GDPR, there is no clear answer.
Looking solely at the available data breach reporting statistics, it would seem that organisations have, if anything, become more careless with personal data since the GDPR came into effect. Some of these personal data breaches made headlines - British Airways, Facebook, Marriott Hotels, WhatsApp - but most of these reported breaches relate to much more mundane incidents such as a misdirected email or the loss of an unencrypted electronic device.
The European Data Protection Board recently published statistics showing that more than 89,000 personal data breaches were reported to the various national supervisory authorities (including the UK's Information Commissioner's Office (ICO)) throughout the European Economic Area in the first year of the GDPR. For the period between April and September 2017, the ICO reported just over 1,300 data security incidents. For the same period in 2018, the ICO reported just over 7,200 data security incidents - which seems like a horrifying increase in data breaches, except that prior to 25 May 2018 there was no obligation to report a personal data breach to the ICO.
At the same time, it has been difficult to escape mention of the GDPR in the media as a result of high profile enforcement actions (with Google as the first recipient of a very sizeable fine, which is currently being appealed) and court actions against the use of facial recognition technology. As a result, organisations and individuals are clearly aware that the data protection legislation has changed and that individuals have more rights over their own information.
It is also noticeable that more organisations have privacy notices on their websites than 12 months ago, so clearly many organisations have at least started addressing their data protection obligations.
It remains to be seen whether this will eventually translate into overall improved data security and data protection.
Despite the wide-spread awareness of the new data protection legislation, there continue to be certain areas which are particularly prone to misunderstanding. The following are some of the highlights from the last year:-
· Consent of the data subject is always required for the processing of any personal data.
No, a data subject does not always need to consent to the processing of his/her personal data. Consent is one of six lawful bases of processing any type of personal data, and explicit consent is one of ten lawful bases of processing special categories of personal data. This means that if the processing can be justified on one of the other grounds (for example if the processing of non-special category data is required in order for an organisation to comply with a contract entered into with that data subject), consent is irrelevant.
· A subject access request entitles a data subject to all information requested.
No, a subject access request entitles a data subject to access to his/her own personal data held by an organisation and entitles a data subject to certain additional information relating to the processing of such personal data (such as the source of the data), but this right to access is subject to certain restrictions and exemptions set out both in the GDPR and the DPA 2018. Therefore, a subject access request cannot be used to access third party personal data or any data which is not in fact personal data (such as information about a company), and just because an individual is named in a document does not entitle that individual to the entire contents of that document.
On the flip-side, simply omitting someone's name, for example by using initials or a reference number instead, does not stop information from being personal data which may need to be disclosed to a data subject making a subject access request.
· A request to be forgotten must be complied with.
No, the right to be forgotten only applies in limited circumstances and even then there are restrictions and exemptions set out both in the GDPR and the DPA 2018. In particular, the right to be forgotten does not apply where the processing of the relevant personal data is based on the "contract" or "legal obligation" bases or where the information continues to be required in the context of legal claims.
In other words, an individual cannot enter into a contract for goods or services with an organisation, receive the goods or services and then, immediately before being required to pay, request to be forgotten. Also, an individual cannot "escape" a legal claim from an organisation by requesting to be forgotten under the GDPR.
· All third party service providers are data processors.
It is fair to say that all data processors (being organisations who undertake certain, usually technical, processing activities on behalf of another organisation) are third party service providers. However, not all service providers are data processors. Where the service provider takes decisions about the relevant personal data, for example for the purpose of providing advice to the other organisation, then that service provider will be a controller not a processor of such personal data. This has implications for both parties, in particular in relation to the type of contract required between the parties and to the issuing of privacy notices and otherwise complying with data subject rights.
· An end to cold-calling and spam emails?
It was probably wishful thinking that the GDPR would put an abrupt end to nuisance calls and unsolicited emails. The GDPR states that an organisation is permitted to process personal data on the basis of its legitimate interests in pursuing direct marketing, so some organisations may not have noticed (or have deliberately chosen to ignore) that this is subject to other relevant legislation - including the Privacy and Electronic Communications Regulations 2003 (PECRs) which imposes restrictions on unsolicited electronic communications to consumers. It remains the case that an organisation should not make a marketing call to an individual who is registered with the Telephone Preference Service (TPS) and that an organisation should not send an unsolicited marketing email to an individual without that person's prior consent (except in very limited circumstances relating to existing customers).
· If an organisation reports a personal data breach, the organisation will be fined up to €20mil or 4% of global annual turnover if higher
For those organisations who are faced with an actual or potential personal data breach, any incident which poses a "risk" to the affected data subjects must be reported to the ICO within 72 hours of the organisation becoming aware of the incident. Where the incident poses a "high risk" to the affected data subjects, it must also be notified to the data subjects as soon as possible. Reporting a personal data breach does not mean that the organisation will be automatically fined by the ICO, but failing to report a personal data breach will be a breach of the GDPR which may result in an enforcement action (including a fine) by the ICO.
For further information about the GDPR, please have a look at the extensive guidance published by the ICO on its website (www.ico.org.uk) or contact the Morton Fraser GDPR Team.