WE HAVE YET to see the full impact of GDPR as recent breaches have not yet translated into fines, but the Information Commissioner’s Office (ICO), which upholds information rights in the public interest, has become tougher.
The much-publicised Cambridge Analytica case cost Facebook the first maximum fine of £500,000 under the Data Protection Act (DPA). More pertinently for many businesses, the ICO fined Heathrow Airport £120,000 (also under the DPA) for losing a USB memory stick which included the names, addresses and passport details of 10 individuals and details of no more than 50 Heathrow security personnel.
The fine was of this magnitude because the ICO’s office found, on investigation, only 2% of the airport’s personnel had been trained on data protection and there was widespread disregard of the company’s policies.
What to do: Ensure that you have appropriate policies for the protection of personal data, that staff are trained on them, and that they are followed and enforced.
Employers, beware your staff
The Court of Appeal has found supermarket Morrisons vicariously liable for the actions of one of its employees who deliberately stole and misused Morrisons’ personal data.
The facts were these: An employee of Morrisons who worked in the IT team, Andrew Skelton, was asked by Morrison’s to pass an encrypted USB stick containing all Morrison’s payroll data to its auditors. Unbeknown to Morrisons, Skelton held a grudge against the business for an oral warning he had been given some months before. Before passing the USB stick to the accountants, he made a copy of the data to a stick of his own and later published it on a file-sharing website with the full intention of damaging Morrisons.
A class action claim was brought against Morrisons by a number of its staff for breach of the DPA. The judge held Morrisons themselves had not breached the DPA but, as Skelton’s role included dealing with this personal data, Morrison’s were vicariously liable for his actions.
The Court of Appeal agreed that Morrisons were vicariously liable for the actions of Andrew Skelton. Morrisons has said it will appeal to the Supreme Court.
What to do: Be careful who you trust with personal data.
Data protection fees
While the obligation to notify or register with the Information Commissioner’s Office under the Data Protection Act has fallen away, businesses still have to pay fees if they are processing personal data. The new fees are payable once the previous notification period has expired. The ICO is, understandably, very keen to pursue businesses that are not paying.
What to do: make a diary note of when your current registration expires. If you haven’t registered, check if you need to pay the fees via the self-assessment tool on ico.org.uk.
E-Privacy
The long overdue E-Privacy Regulation is still winding its way through the European Parliament and Council. The latest draft (issued 19 October) dropped the provisions requiring browser manufacturers to including cookie controls. It does though still include corporate personal emails in the rules for email marketing (which currently only apply to personal email addresses).
What to do: Watch this space but be prepared to ask for consent to market to corporate email addresses ahead of the E-Privacy Regulations coming into force.
Subject access requests
The number of subject access requests has increased (although this was a trend we noticed prior to GDPR coming into force as people became more aware of their existing rights).
What to do: Ensure the business is set up to deal with subject access requests, and that you can respond within the allowed month.
Finally, if your business isn’t GDPR-compliant, it is better late than never.