GDPR came into force in May 2018 and eight months on the implementation of the law has been staggering, especially from a business perspective, with the changes that companies made to their existing, or in some cases non-existing, data protection policies and procedures

42 T

here has been a lot of attention on the introduction of The General Data Protection Regulations throughout the last year, which has helped raise awareness among individuals, giving them more power to control how their data is used and to hold businesses to account for their actions. Whilst the spirit of the regulations is clear, the work involved for businesses and the means by which this tool could be used is causing many concerns and, in some cases, a detriment. It has been reported that there was a significant

increase in data breach notifications to the Information Commissioner’s Office (ICO), the UK’s data protection regulator, since the law came into force. This is not a surprise given that individuals, some from a consumer point of view, are more aware of their rights. There appears to be a simple explanation for this. The companies that collected and processed large amounts of their customer data were subject to more leaks and cyber-attacks. This in turn was harming their customers because their data was being taken and used by criminals for fraud, often causing financial harm and distress. Other examples include companies taking customer data and passing this on to third parties. Often the customer would not have consented to this, which then manifested in cold callers continuously offering services or products they were not interested in. Just think about the number of calls the average consumer receives about PPI or accident claims. As a firm of solicitors, we have experienced individuals challenging businesses regarding their data; we have had clients’ former employees using business data in breach of GDPR, placing our client in potential breach; we have seen confusion over opting in and out; misunderstanding on what data you are permitted to hold and share; service providers contracts are out of date and the sale of data and companies flagrantly breaches the spirit of the GDPR.

Be prepared and be ready Leading up to the introduction of GDPR, there was

a simple message: get ready for the changes by 25 May 2018 or face the prospect of heavy penalties. However, we have not seen a volume of UK court cases or ICO public enforcement notices as expected. The ICO are suffering from extreme over- notification of data breaches. In September 2018, the Deputy Information Commissioner remarked: “Some controllers are ‘over-reporting’: reporting a breach just to be transparent, because they want to manage their perceived risk or because they think that everything needs to be reported...”

What should businesses be doing? Businesses should continue to be GDPR compliant as we suspect change will come and come fast as many lawyers are gearing up for UK court action. Businesses need to have their processes and policies in place, systems checked and monitored and a record available for any breaches should they need inspection, so they can demonstrate compliance. Furthermore, the first number of organisations

have been fined for not renewing their fees with the ICO. It is reported that many more fines are to follow. According to the ICO website, “more than 900 notices of intent to fine have been issued by the ICO since September and more than 100 penalty notices are being issued in this first round”. Businesses should be aware that they will be

breaking the law if they do not pay their fees to the ICO. These fees are payable by any business that collects and processes personal data. Action being taken by the ICO is ultimately good for the individual for two reasons. Firstly, businesses are concerned they will be faced with severe penalties by the regulator if they fall foul of the regulations, and secondly, businesses want to maintain customer confidence by being compliant and committed to the safeguards they must implement. Both go hand-in-hand and thus it will allow for better protection of individuals’ data. GDPR has allowed data protection laws

across the EU to become more harmonised and keep up with the new changes businesses have implemented in collecting personal data. This has

Businesses need to have their processes and policies in place, systems checked and monitored and a record available for any breaches should they need inspection, so they can demonstrate compliance.

also seen several regulators across Europe deal with an increase in the number of complaints received by individuals.

What have the last eight months taught us? We have seen more businesses strive to implement real change in the way they collect data and handle it. Some of the work which we have undertaken for businesses has been reviewing and drafting customer and staff policies; web policies; amending staff handbooks and contracts; auditing their third-party contracts; general assistance with their processes; and internal training. These are some of the things that other businesses can take note of and really think about when considering their own processes.

If anything can be taken from all of this, it is that data protection is fast becoming an area where more ‘breach cases’ will arise. Businesses must continue to actively remain GDPR compliant by reforming and improving their processes and policies if they are to protect themselves from litigation and/or action being taken against them by the ICO.

Karen Holden is an award-winning lawyer and Founder of A City Law Firm.

Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44