The new data protection laws are not going anywhere and 2019 is likely to be a year of action in which the new data rights, complaints and enforcement options are tested. We’ve already seen this in France earlier this month when CNIL (the French National Data Protection Commission) fined Google a record 50 million Euros, related to Google’s use of Ads personalisation.
CNIL determined that Google had not been sufficiently clear and transparent with its privacy information and had not obtained the necessary consents. In addition, because CNIL viewed Google’s economic model as being based on ads personalisation they were held to an increased level of accountability. Therefore, the scale of Google’s fine reflected this as well as the size of their operations, and the fact that breaches were ongoing and continuous (rather than one-off errors).
The Information Commissioner’s Office (ICO) – responsible for enforcing data protection requirements in the UK- has been working through a backlog of complaints. However, whilst we anticipate enforcement will increase with “examples” made, the ICO’s general mindset remains one of support and guidance. The intention is not to drive you out of business and you can protect yourself by spending a bit of time on the issue.
- Cisco backs US GDPR calls
- Majority of companies still aren't GDPR compliant
- How will GDPR impact the mobile industry
Specifically, we anticipate ‘Subject Access Requests’ will increase, as individuals use these to access their data and this is often in connection with complaints and legal claims (common triggers for these are employment disputes and consumers receiving unwanted communications). We also anticipate the first individual and class action claims directly against data controllers (i.e. businesses), with call centres and bulk claims looking for another revenue stream to replace the PPI bubble.
Complying with GDPR
With this landscape in mind, it is important to embed data protection. You can be proportionate to the nature and scale of your business in doing so, but we recommend considering at least the following as part of this process:
- Pay the registration fee to the ICO (unless you are exempt).
- Ensure you have appropriate privacy information in place and available –you’ll be on the back foot when receiving a subject access request if you cannot direct an individual to your policies.
- Take time to understand the data you collect and why, and be clear on your legal basis for processing.
- Review your marketing strategy. Whilst consent to electronically market is usually required, it is possible to market to existing customers without explicit consent, whilst you also have a legitimate interest to contact other businesses. However, ensure opt-out options are provided and actioned.
- Train your staff (including on your SAR response procedures) and support this with clear internal policies on data security and retention etc. The ICO always asks for these when investigating a complaint!
- Consider your current insurance. In particular: does it cover acts of a rogue employee; and is cyber insurance appropriate?
- Do everything you can to prevent a data breach- including IT security, destruction procedures and clear policies for employees to follow.
- Review your standard terms of business, and any client terms, to ensure they accurately reflect your actual data sharing or processing relationship (or lack of it), whilst ensuring liability is apportioned or excluded appropriately.
- Remember that you have legal rights and requirements to process personal data, so don’t panic. Be confident in why you are processing and respond accordingly.
- Taking time to consider your position now will prevent unwanted surprises in 2019.
Graham Hansen, Commercial Associate and Data Protection Expert at HRC Law
- We've also highlighted the best VPN in this roundup