The deadline of 25th May 2018 is deeply ingrained in the corporate psychology of businesses across Europe. That was the deadline by which they strained every sinew to audit their systems, update their data-protection processes, and upgrade their security in order to meet the requirements of the EU General Data Protection Regulation (GDPR).
The most significant change in data privacy regulation for a generation, the GDPR protects customers by regulating how businesses collect, process and use personal data. It has fundamentally changed how they manage and communicate with their consumers and clients.
So what has happened since the deadline passed? The Information Commissioner’s Office (ICO) was established in the UK to protect data privacy for individuals and uphold information rights in the public interest.
As the ICO’s caseload has grown exponentially, companies that breach the GDPR can face large fines and penalties. The ICO recently used its powers to levy fines totalling nearly £300m against British Airways and the Marriott hotel chain.
The GDPR’s impact can extend further. Last October, the Court of Appeal upheld a decision that Morrisons was vicariously liable for a data breach in 2014 by a disgruntled employee who posted the personal data (bank details, addresses and salary information) of nearly 100,000 Morrisons employees online. The Supreme Court is now set to hear the case.
Going forward, vicarious liability is an issue for every business as the GDPR increases the prospects of group actions being pursued in the event of a breach and more opportunistic pre-claim demands being made.
As with so many other factors affecting business, it is impossible to predict how Brexit will affect the GDPR’s application given the uncertain future relationship between the EU and UK.
Whatever the outcome, the ICO is here to stay with the power to impose substantial fines: for the most serious and harmful contraventions, up to €20m, or 4% of annual global turnover, whichever is greater.
Are such fines insurable? Almost certainly not. The insurance industry is reluctant to cover ICO fines on the basis thatthey are considered criminal or quasi criminal in nature by the courts: as a matter of public policy, courts do not allow penal sanctions to be indemnified by third parties since their intended deterrent effect would be defeated or circumvented.
Businesses need to be familiar with the ICO’s Regulatory Action Policy (RAP) which provides important guidance on how to minimise the risk of enforcement action and fines.
In outlining the ICO’s key regulatory priorities, the RAP enables businesses to predict how the ICO will carry out its regulatory activity: the approach the ICO will adopt when considering whether to issue penalties.
Key factors include: the nature, gravity and duration of the failure; the sensitivity of the data involved; any damage or harm (which may include distress and/or embarrassment); the degree of a business’ responsibility; whether there has been a failure to implement the accountability provisions of the GDPR; any previous relevant failures; and how the ICO became aware of the incident.
Elizabeth Denham, the Information Commissioner, recently summarised that the ICO’s approach as ‘assessing the nature and seriousness of a failure, the sensitivity of the subject matter, whether and how individuals have been affected, the novelty and duration of the concerns, the public interest, and whether other regulatory authorities are already taking action on the matter.’
To comply fully with the GDPR, companies which have good governance and risk controls in place need to move from a one-off compliance exercise to making data-protection compliance part of their standard business practice. Those companies that have adopted a less proactive approach can stop putting themselves at risk by taking action and following the ICO guidelines.
Denham has indicated that 2019 is a transitional year and that accountability is the watch-word going forward. In turn, it is a good time of year to take stock of where your business is up to in compliance terms, and whether you need to update your assessment on what you need to do.
Published in Data Centre Review – 5.8.19