22 May, 2020
The 25th May 2020 marks two years since the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 came into force in the UK. The change in law marked the biggest change in data protection law in 20 years and gave the regulator, the Information Commissioner's Office (ICO), the ability to impose much tougher sanctions and levy higher fines on organisations that fail to comply with data protection law.
The introduction of the GDPR saw organisation of all sizes overhaul their data protection compliance, conduct audits and map out a plan to bring them in line with the requirements of the new legislation. The 2-year anniversary is also likely to mark the point at which many organisation's policies and procedures, introduced at the time the GDPR was implemented, will need to be revised and reviewed. You are not alone in this feat. The European Commission must also conduct a review of the GDPR and report the findings of this review to the European Parliament by 25 May 2020. We expect this review to call for a more unified approach to the implementation and regulation of the GDPR across the EU.
The ICO has recently announced a shift in focus in its regulation in response to the coronavirus pandemic. This will see the ICO focussing on organisations that misuse personal data and seek to take advantage of the vulnerable during this crisis. The ICO has also announced that it will take into account the economic impact and affordability of any fines issued. Therefore, we expect to see the level of any fines given to be reduced given the financial strain many organisations are currently under. We are still awaiting an announcement from the ICO in relation to the fines issued to both British Airways and Marriot International in summer last year. The ICO previously issued an intention to fine British Airways £183m and Marriot £99m in relation to cyber security breaches. Both companies have subsequently been granted further time to provide the ICO with evidence of mitigation which could reduce the level of fine that they receive. We wait to see how the coronavirus pandemic will impact the level of fine imposed given the financial strain that both the airline and the hospitality industry currently face.
That said, the ICO has reminded organisations that they are still under a duty to report personal data breaches to the ICO within 72 hours where necessary and organisations must still comply with data protection law, although it recognises that resources may currently be diverted.
Over the next 12 months, we also expect further guidance to be produced by the ICO in response to consultations that have recently closed - for example relating to the use of criminal convictions information and the draft subject access request guidance. Whilst the ICO has announced that such guidance may be delayed, we are expecting further guidance to be published over the coming 12 months.
As May 2020 will mark the anniversary date of many of the policies and procedures implemented to demonstrate compliance with the GDPR, we recommend you review these policies in light of new guidance published by the ICO over the previous 12 months. In particular, our clients should consider the following areas:
As the big push to comply with the GDPR has now passed, organisations should now have embedded data protection processes, practices and procedures into their organisations and we expect to see a shift in focus from implementing data protection compliance to reviewing existing practices and ensuring compliance on an ongoing basis.
For more information contact Bethany Paliga in our Governance, Procurement & Information department via email or phone on 01254 222347. Alternatively send any question through to Forbes Solicitors via our online Contact Form.