GDPR - one year on
With now over 1 year since the GDPR came into force and with the benefit of insight into early enforcement, it is a good time for organisations to carry out a review of their compliance with the new regulation. The big question which many have been asking is how the regulators would use their new-found authority and what conduct would get their attention. Although the evidence of any significant enforcement has been low (with relatively few fines imposed by regulators and with majority of fines relatively low in value) we are starting to see how the data privacy watchdogs are using their new tools.
The new breach notification regime has become one of the areas that concerns businesses the most, no doubt in part due to the risk of the high sanctions for failure to notify. In UK this has led to around 14,000 personal data breaches being notified from 25 May 2018 to 1 May 2019. This can be compared with just 3,311 notifications between 1 April 2017 and 31 March 2018, and 2,565 between 1 April 2016 and 31 March 2017.
In an update titled “GDPR: one year on”, which the Information Commissioner’s Office published on 30 May 2019, the office reports: “We closed over 12,000 of these cases during the year. Of these, only around 17.5% required action from the organisation and less than 0.5% led to either an improvement plan or civil monetary penalty. While this means that over 82% of cases required no action from the organisation, it demonstrates that businesses are taking the requirements of the GDPR seriously and it is encouraging that these are being proactively and systematically reported to us”. These figures perhaps also show that it remains a challenge for organisations and DPOs to assess which breaches are reportable.
In her speech to the International Privacy Forum on 4 December 2018 the Information Commissioner, Elizabeth Denham, commended the fact that companies have prepared themselves to comply with the GDPR’s breach notification requirements. She said “(…) breach reporting is a not a mere administrative responsibility. It speaks to the accountability principle of the GDPR. The accountability principle requires you to take responsibility for what you do with personal data – and have processes and systems in place to demonstrate this compliance. If, within the 72 hour time limit, a UK organisation has no clue as to the who, the what, the how of a breach, then it is clear that they do not have the required accountability data checks and balances in place - as required by law.”
According to DLA Piper’s GDPR Data Breach Survey carried out in February 2019, in the first eight months since GDPR came into force, there were more than 59,000 personal data breaches notified to the European data protection regulators. These ranged from minor breaches, such as errant emails sent to the wrong recipient, to major cyber-attacks affecting millions of individuals. With 10,600 breached reported in the first eight months of the GDPR regime, UK was in the top three countries to notify the most data breaches and overtaken only by the Netherlands and Germany with 15,400 and 12,600 breaches reported respectively. The countries with the fewest breaches notified were Liechtenstein, Iceland and Cyprus with only around 15, 25 and 35 breaches respectively.
With the sharp increase in notifications, “regulators are stretched and have a large backlog of notified breaches in their inboxes,” the DLA Piper reports. “Inevitably, they have prioritized the larger, higher-profile breaches, so many organizations are still waiting to hear from regulators whether any action will be taken against them in relation to the breaches they have notified”.
What fines have we seen so far?
Google. The highest GDPR fine so far has been the €50 million fine imposed by the French data authority, CNIL, in relation to Google’s use of personal data for the purposes of personalising advertisements.
On the basis of the inspections carried out, CNIL observed two types of breaches of the GDPR. Firstly, it was held Google violated the obligation of transparency and information. The French authority found that the information provided by Google to the users was not easily accessible. Essential information, such as the data processing purposes, the data storage periods or the categories of personal data, were excessively disseminated across several documents and to access relevant information the user had to perform many actions and combine several document resources. Moreover, some information was missing or was not always clear nor comprehensive making it difficult for the users to fully understand the extent of the processing operations carried out by Google.
Knuddels. In November 2018, a German chat platform Knuddels has been fined €20,000 for storing user passwords in plain text. The data of Knuddels’ users was stolen and published on Pastebin and Mega.nz affecting over 800,000 email addresses and more than 1.8 million pseudonyms and passwords. The Baden-Württemberg data protection authority, the regional data watchdog, held that by storing the passwords in plain text the company violated its duty to ensure data security in the processing of personal data and for this reason imposed its penalty. For this type of breach, the GDPR generally provides for maximum fines of up to €20 million or 4% of the total worldwide annual turnover of the preceding financial year, whichever amount is higher. However, in this case the regulator imposed a fine which was much lower than many expected, justifying it by pointing to the way the company cooperated fully with the investigation. Further factors which the regulator considered were that Knuddels undertook comprehensive measures to achieve full transparency as quickly as possible after becoming aware of the attack and implemented extensive measures to improve its IT security systems and policies. The regulator also noted that the company did not benefit or intended to benefit from the data breach. Latham & Watkins partner Tim Wybitul, who acted for Knuddels, said in a press release that the low fine reflects the fact that the company “acted quickly and correctly” after discovering the hack.
The same German data protection authority imposed an €80,000 fine in January 2019 against a healthcare organisation for publishing sensitive personal data on the internet. Other fines include a €4,800 fine issued in Austria for the operation of an unlawful CCTV system that was deemed excessive for its partial surveillance of a public sidewalk.
Despite the increase in the number of disclosed breaches and taking into account the maximum fines regulators now have the power to impose, the number of fines and their value (excluding the €50 million fine against Google) have been low so far, lower than many expected. This might be because regulators in some countries are still accommodating themselves to their new roles. In his statement with regard to the relatively lenient fine imposed on Knuddels, the State Commissioner for Data Protection and Freedom of Information for Baden-Württemberg, Dr Stefan Brink, said that the authority is “not interested in entering into a competition for the highest possible fines. In the end, it’s about improving privacy and data security for the users”. The authority also noted that “the overall financial burden on the company was taken into account in addition to other circumstances.” Whether other data privacy watchdogs adopt similar approach for assessing the fines is yet to be seen.
ICO reports that “the first year of the GDPR has seen people realise the potential of their personal data. There is a greater awareness of the law, in particular the data rights of individuals, and greater awareness of the role of the regulator where rights aren’t being respected”. This has had a significant impact on the numbers of concerns raised with the ICO by the public. The office has received over 41,000 data protection concerns from 25 May 2018 to 1 May 2019 with subject access requests remaining the most frequent complaint category. For comparison, the figure for 2017/18 was around 21,000 and under 20,000 for 2016/17.
The more extensive rights for individuals under the new regime as well as the enhanced publicity and awareness of the rights have also had considerable impact on businesses which have noted a significant rise in the number of data subject access requests (DSARs) made by employees. By making a DSAR, current and former employees can obtain a copy of their personal data held by their employer. Businesses note that such requests are often made in the context of workplace issue, where, for example, an individual is facing a disciplinary action and wants to cause problems for the business or to get advance disclosure prior to raising a claim.
As a decrease in this trend is not anticipated at the moment and dealing with the increased DSARs often requires additional resources and consequently incurs more costs, businesses need clear and well-thought procedures to enable them to deal efficiently with the requests. Furthermore, those companies who have developed organised and effective systems of processing DSARs will be more likely to convince the regulators that they have met their obligations.
While being responsible for enforcing the data protection legislation in UK, a key part of ICO’s role is also providing support and guidance to organisations on data privacy law and compliance.
In the ICO’s update “GDPR: one year on”, the office expresses their understanding that GDPR hasn’t been easy for small organisations. To help this community the ICO has provided a suite of resources and support including toolkits, checklists, podcasts, helpline, live chat service and advisory sessions. Check their website for their guidance and ways in which they can help at: https://ico.org.uk/for-organisations/. In addition to the available resources the office has also promised establishing a one-stop shop for SMEs to offer additional support and guidance.
However, the guidance and expertise aren’t just limited to SMEs but are available to all organisations, businesses and the public sector. To help organisations understand their obligations ICO has produced a Guide to the GDPR ( https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/ ) as well as interactive tools and a blog which are available on the ICO website.
The office also has responsibility for creating four statutory codes. These are: data sharing, direct marketing, age-appropriate design and data protection and journalism. These codes are being currently developed and will support compliance in these areas. The draft code on age appropriate design is now available at: https://ico.org.uk/media/about-the-ico/consultations/2614762/age-appropriate-design-code-for-public-consultation.pdf.
With the increased enforcement action and much higher fines available to the regulators, one question that many ask is whether these fines can be covered by insurance. The position under English law as to the insurability of GDPR fines remains unclear. Some regulatory bodies, such as the Financial Conduct Authority, have made it clear that their fines cannot be covered by insurance, however, there hasn’t been such a ban from the ICO. In the UK cover cannot generally be obtained for fines imposed for criminal or quasi-criminal conduct for public policy reasons (the fines are imposed to deter the wrongdoer and being able to recover the fine would negate the effect). It is likely that a fine imposed under the GDPR would be regarded as a sanction of a punitive nature for quasi-criminal conduct and therefore uninsurable under English law. However, some speculate that ICO fines imposed for much less serious breaches could be regarded in a different category and hence still insurable.
As these very important issues still remain unclear the businesses should not assume that fines or penalties under the GDPR will be covered by an English law insurance policy. Furthermore, it should be noted that the consequences of GDPR non-compliance are not limited to monetary fines and organisations also need to consider other costs and liabilities that could result from falling foul of the new regulation. In its “guide to the insurability of GDPR fines” AON sets outs what is possible to insure in UK against. These are: (i) costs of investigating an incident (ii) defence costs (iii) claims by third parties (customers/suppliers) for consequences of breach (iv) costs of mitigating a breach - including public relations expenses. Claims under a policy for such costs would be insurable unless it has been demonstrated (e.g. by an admission or judgment) that the conduct giving rise to liability for a fine was deliberate or reckless.
How can compliance be improved?
In her Blog, “GDPR – one year on”, Elizabeth Denham, the UK’s Information Commissioner advises that the hard work is far from over; “there is much more still to do to build the public’s trust and confidence (…) and this is true for businesses and organisations of all sizes”. She adds that the threshold for compliance may be higher as we move into the second year of the new regime by saying “The focus for the second year of the GDPR must be beyond baseline compliance - organisations need to shift their focus to accountability with a real evidenced understanding of the risks to individuals in the way they process data and how those risks should be mitigated. Well-supported and resourced DPOs are central to effective accountability”.
With new guidance from the regulators and enforcement action to date, it’s a good time for organisations to audit their GDPR compliance. Here are just some areas where a review or improvement may be required.
Policies and procedures
What could be noted about the Google case is that Google did not flagrantly breach the regulations. Like many other organisations Google had made changes to its policies and processes ahead of the GDPR being implemented, however the measures taken were found unsatisfactory. Check whether your existing policies and procedures are compliant with the requirements of GDPR in view of the recent guidance or any changes within the business that may have taken place since the policies were created. For example, consider the following:
- Is the information you are required to provide to the data subjects, clear, easily accessible complete and comprehensible. As we have learnt from the Google case, if you provide the information through multiple documents, links or pages this may fall foul of the regulations.
- Do you meet the GDPR obligation to have a legal basis for processing the personal data you collect? If you rely on consent of data subjects as your legal basis for processing, is this consent validly obtained? The GDPR sets a high standard for consent which demands offering individuals real choice and control and this has been reiterated by the French regulator in the Google case. Valid consent requires a positive opt-in and pre-ticked boxes or any other method of default consent will be in breach of the regulation. Also, a broad or vague consent will not be valid so ensure you are specific as to what the consent is for and obtain separate consent for separate purposes (e.g. separate from other terms and conditions). Check your consent practices and your existing consents and keep them under on-going review.
Is the data secure?
Data privacy experts comment that many of their clients have invested a substantial amount of time and resources in getting their operations and policies GDPR compliant, but this has been done just “on paper “.
A key principle of the GDPR is that businesses must process personal data securely by means of ‘appropriate technical and organisational measures’. Where organisations may be falling foul of the new requirements is ensuring that the data is secure, having poorly implemented the new policies or having failed to consider and improve the physical and technical measures required. This was the case with Knuddels which stored user passwords in plain text. The things you should consider include:
- sufficient cyber-security protection measures and tools (e.g. firewalls, encryptions);
- access control (e.g. access to server rooms only with key or chip card, securing office rooms with alarm, control as to who can access personal data).
You must also ensure that you have appropriate processes in place to test the effectiveness of the measures and undertake any required improvements. For example, by demonstrating to the authorities that you undertake penetration tests on regular basis you may help to prove that you have taken the appropriate measures to keep the data secure.
Data privacy experts advise that having people with IT and cyber-security knowledge on board (including at the board level) can help companies getting the security requirements right. It should help to promote the data privacy culture within the organisation and ensure the data security issues are given fitting consideration. Having tech experts inhouse should also help organisations to design technology measures which will be tailored to the activities of the business.
How would you respond to a data breach?
Today, any company can become a target of cybersecurity attack very quickly and unexpectedly therefore companies should not only consider IT security but also think of strategies for dealing with a security breach. Does your company have everything in place to meet the GDPR’s requirements when a data breach happens?
Germany’s fine levied on Knuddels offers a lesson for companies planning a data breach policy as Knuddels was spared a much harsher penalty under the GDPR because of its effective data breach response strategy.
Data privacy experts comment that many companies when faced with the data breach are not prepared for it. On identifying a breach, the company then starts to work out what it should do, how it should act, what communications it should issue. However, GDPR requires a fast and skilled response and how the company handles the breach can have a significant impact on how the regulator will assess the company’s compliance with the regulation.
A few things that you should consider:
- Have in place a data breach policy which assigns roles, steps to be taken and includes a “toolkit” containing template forms, questionnaires, template communications to be used in case of a breach. This should prepare you for efficient and well-organised response during the crisis helping you to take defensive steps and mitigate the serious financial and reputational consequences that may follow.
- Have appropriate and clear reporting routes within the organisation which are effectively communicated to the staff.
- Have in place processes for assessing the severity of a potential breach and whether it must be communicated to the authorities and the individuals affected. Note that not all breaches of security will be reportable. There is a risk analysis to be done and you should know in advance how to do that analysis.
- Create a team within your staff dedicated to handling security breaches. Such team should undertake advanced training and keep up to date with any relevant guidance from the regulators.
- Include in your staff training crisis simulation or “war-gaming” exercises.
- If a breach occurs ensure you create a detailed accountability record including decisions you made and why you made them, documenting how you assessed the risk. Under the GDPR you must be able to demonstrate your compliance and detailed records may help you mitigate enforcement action.
As processing DSARs requests is rarely straightforward and given the increase in number of requests and the shorter period for a response (which is now one month), it is important that businesses are prepared to deal with the requests. Have in place a clear protocol which outlines the steps you need to take and assigning roles within your personnel to help you respond to the request within the required timeline. Ensure your staff are adequately trained and understand the test for personal data and the relevant obligations. Consider having a conversation with the person who is requiring the information to narrow the scope of the request. This may help save a considerable amount of time.
Consider holding a refresher GDPR training. Data protection experts emphasise that staff training is an essential part of GDPR compliance. If you were to experience a data breach, having a documented staff training may be used as evidence to prove that you had taken the appropriate steps to prevent a data breach.
Where the relationship between you and your supplier or customer is one of data controller to data processor, GDPR requires that a written contract is in place governing the relationship. The contract must set out specific information and include specific terms as prescribed by the regulation. Review your contracts with your customers and suppliers to check GDPR compliance. Ensure that the team responsible for procurement and vendor vetting is adequately trained and has the relevant knowledge with respect of the GDPR compliance so that they are able to make informed decisions.
This comprehensive overview was writting by Clayden Law's Elizabeth Gibbs