GDPR: 2 Year Anniversary

Together we are Forbes

Governance, Procurement & Information Article

22 May, 2020

Bethany_Paliga
Bethany Paliga
Senior Associate

The 25th May 2020 marks two years since the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 came into force in the UK. The change in law marked the biggest change in data protection law in 20 years and gave the regulator, the Information Commissioner's Office (ICO), the ability to impose much tougher sanctions and levy higher fines on organisations that fail to comply with data protection law.

The introduction of the GDPR saw organisation of all sizes overhaul their data protection compliance, conduct audits and map out a plan to bring them in line with the requirements of the new legislation. The 2-year anniversary is also likely to mark the point at which many organisation's policies and procedures, introduced at the time the GDPR was implemented, will need to be revised and reviewed. You are not alone in this feat. The European Commission must also conduct a review of the GDPR and report the findings of this review to the European Parliament by 25 May 2020. We expect this review to call for a more unified approach to the implementation and regulation of the GDPR across the EU.

What do we expect over the next 12 months?

The ICO has recently announced a shift in focus in its regulation in response to the coronavirus pandemic. This will see the ICO focussing on organisations that misuse personal data and seek to take advantage of the vulnerable during this crisis. The ICO has also announced that it will take into account the economic impact and affordability of any fines issued. Therefore, we expect to see the level of any fines given to be reduced given the financial strain many organisations are currently under. We are still awaiting an announcement from the ICO in relation to the fines issued to both British Airways and Marriot International in summer last year. The ICO previously issued an intention to fine British Airways £183m and Marriot £99m in relation to cyber security breaches. Both companies have subsequently been granted further time to provide the ICO with evidence of mitigation which could reduce the level of fine that they receive. We wait to see how the coronavirus pandemic will impact the level of fine imposed given the financial strain that both the airline and the hospitality industry currently face.

That said, the ICO has reminded organisations that they are still under a duty to report personal data breaches to the ICO within 72 hours where necessary and organisations must still comply with data protection law, although it recognises that resources may currently be diverted.

Over the next 12 months, we also expect further guidance to be produced by the ICO in response to consultations that have recently closed - for example relating to the use of criminal convictions information and the draft subject access request guidance. Whilst the ICO has announced that such guidance may be delayed, we are expecting further guidance to be published over the coming 12 months.

What should you be doing now?

As May 2020 will mark the anniversary date of many of the policies and procedures implemented to demonstrate compliance with the GDPR, we recommend you review these policies in light of new guidance published by the ICO over the previous 12 months. In particular, our clients should consider the following areas:

  • Subject access request policy/procedure - The ICO has published draft guidance to assist organisations responding to subject access requests. You should review your policies to ensure they reflect the guidance. In particular, the guidance announced that requests by organisations to clarify information requested under a subject access request will not stop the clock and the time for responding to a request will begin from the date it was received or the date ID is received from the requester (if necessary). Therefore, you will need to check to ensure that this is clear within your policy documents and update this provision if necessary.
  • Special category data/criminal convictions policy - The ICO recently published further guidance on the use of special category data and criminal convictions. In certain circumstances, the use of special category data or criminal convictions require an 'appropriate policy document' to be in place (e.g. if your lawful basis for using this information falls under the 'substantial public interest' condition or for employment or social protection purposes in the GDPR). You will need to review your existing policies to determine whether they meet the requirements of an 'appropriate policy document' and update them accordingly.
  • Review of privacy notices - It is likely that your use of personal information has changed over time (e.g. you are now more likely to be conducting workplace testing or collecting more health information than has been previously envisaged). You should review your privacy notices to see if they are up to date and amend them if necessary.
  • Record of Processing Activity - Again, it is likely that your use of personal information has changed over time. Therefore, you will also need to review your processing records are up to date and cover all the types of information you process.
  • Data Breach Procedure - it is likely that you have had suspected data breaches reported internally during this time, although you may have avoided having to make a report to the ICO. Consider whether the procedure worked in practice or whether any amendments need to be made with the benefit of some hindsight.
  • Remote working/BYOD policies - The coronavirus pandemic has seen a huge shift to remote working. You should consider whether your remote working policies need updating to reflect the current situation or introduce these policies if none have previously been in place.

As the big push to comply with the GDPR has now passed, organisations should now have embedded data protection processes, practices and procedures into their organisations and we expect to see a shift in focus from implementing data protection compliance to reviewing existing practices and ensuring compliance on an ongoing basis.

For more information contact Bethany Paliga in our Governance, Procurement & Information department via email or phone on 01254 222347. Alternatively send any question through to Forbes Solicitors via our online Contact Form.

Learn more about our Governance, Procurement & Information department here

EasyJet Reveals Data Breach of up to 9 Million Customers

Big Brother Is Watching Who? - Assessing the Impact and Risk of…

Contact Us

Get in touch to see how our experts could help you.

Call0800 689 0831

CallRequest a call back

EmailSend us an email

Make an Enquiry

Contacting Us

Monday to Friday:
09:00 to 17:00

Saturday and Sunday:
Closed