GDPR Doomsday – A Year On

It’s been 365 days since the GDPR was implemented into the UK through the Data Protection Act 2018.  A lot can change in a year but unfortunately a lot of the same old myths about the (now not so) new data protection rules seem to remain.  As a timely reminder given the recent anniversary, I thought I’d look at popular myths and the true story behind them.

Consent: the be all and end all
If I’d heard it once, I’d heard it a million times – you can’t use my data without my consent.  Quite how this myth gained so much traction I do not know, especially since it has never been the case.  And yet, it seems to still be doing the rounds.  As with the previous data protection rules, consent is one of 6 valid grounds, each as valid as the next.  It’s true that the criteria to rely on consent is now tighter: it needs to be freely given by active opt in and as easy to withdraw as it was to give.  This last element means (to me at least) consent is the shoogliest of pegs to hang your coat on – what happens if the individual revokes consent?  You cannot simply change the basis, you need to stop processing.  This highlights the importance of identifying the most appropriate basis for processing.  To help, the ICO has a handy tool available on their website.  What is equally as important is keeping any consents you rely on under review and in particular not to be relying on DPA 1998 consent as it probably does not meet the new criteria.

No More Marketing
Hot on the heels of consent came the usual “you can’t send me marketing information, I didn’t consent” and a lot of businesses fell into this trap, becoming increasingly worried about existing marketing lists becoming redundant.  However, that is not the case.  Businesses can validly continue to market based on legitimate interests (so long as the individual’s interests do not override that legitimate interest).  Note though, if you can reasonably achieve the same result in another less intrusive way, legitimate interests will not apply.  When marketing by email, it is also important to remember PECR (the Privacy and Electronic Communications Regulations) which sit alongside the GDPR.  These mean if you are using legitimate interest for marketing, you can rely on a “soft opt in” providing you give individual subscribers an option to opt out with every communication and only market your own goods or services.  There is a lot more flexibility when contacting corporate subscribers (much to the dismay of my inbox!)

Fines, Glorious Fines
In the lead up to May 2018, you cannot fail to have noticed the eye watering figures that were mentioned - €20,000,000 or 4% of global turnover of a business.   That figure is only half the story, generally applying to breaches of the GDPR principles or failure to comply with individual rights.  There is the secondary tier of fines for security failures or failure to report a breach which is still a considerable €10,000,000 or 2% of global turnover.  You should remember that these figures are maximum numbers rather than mandatory fines and the reality is that the ICO is focused on getting people compliant rather than issuing fines.  Since the change in 2018, there has not been any “making an example” type behaviour from the ICO and substantial fines remain the last resort.  Much more likely will be warnings, reprimands or enforcement notices requiring businesses to do (or refrain from doing) certain things.

Another Day, Another Breach Report
Tying in with the fear of fines was the worry that every data breach would need to be reported to the regulator.  The ICO saw a huge increase in the levels of reporting immediately after May 2018, not due to more reportable events but because controllers were terrified failure to report would result in massive fines for their business.  The new rules did mean reporting became mandatory (rather than advisory under the previous rules) but only if the breach resulted in a risk to people’s rights and freedoms – a simple mis-sent email with very little information in it would not be reportable.  It has become necessary for businesses to change how they identified and managed breaches, particularly given the tight timescales when a report to the ICO was necessary.  Reporting without undue delay and within 72 hours is clearly not enough time to do a full comprehensive report into everything but the initial investigation should be focused on the scope of the breach, cause of the breach, appropriate mitigations and a plan to address (and prevent) the problem.  If a breach is not reportable, I would still recommend noting it in a “near miss” record to identify any recurring themes and then address these before a substantial breach happens.

Get Compliant And Relax
There was a definite flurry of DP activity in May 2018, with inboxes pinging every 5 minutes with another updated privacy notice.  But how many people have done anything substantial or meaningful on data protection since that date?  The data protection journey is far from over and it should be an ongoing process for everyone.  No business stands still so every time there is a change in business, data protection should be considered and updated as necessary.  Even if there is no change in business, a regular review of data protection approaches will help demonstrate your commitment to the principles.  This is necessary to comply with the GDPR but also helps show clients and customers that you understand the data you hold and how you use it.  Important areas to focus on are:

• Check your security – there will always be someone keen to exploit weaknesses in security which could leave you vulnerable so invest in appropriate technology;
• Keep training up to date – staff are your best line of defence but also the biggest risk of failure so make sure they understand data protection and its importance;
• Plan for the worst –especially with reduced time periods for reporting and complying with individual rights requests, expect them to happen and have a process in place to deal with these;
• RAG Status – do a regular review and mark how you are performing on a “red, amber, green” scale so you can see areas to work on and improvement made on the last review;
• Don’t Panic – don’t kid yourself that you will never fall foul of the GDPR.  Mistakes may happen but don’t bury your head in the sand if they do, learn from them and take advice if you are really unsure.

Conclusion
It’s clear that it is important to have an appropriate set of management practices in place to ensure that data is used properly and in in accordance with the law.  It is equally important to be aware of the proper position and not get swept up in myths and scaremongering.  The key takeaway point is to continue taking data protection seriously and keep looking at systems and approaches to see if anything can (and should) be done differently.  And if in doubt, make sure you get in touch.