The Y2K bug was a glitch. For those too young to remember 31st December 1999, here’s what happened – experts had legitimate concerns there was a flaw, whereby dates beyond 1999 wouldn’t be recognised by computer operating systems and whereby 2000 might be read as 1900. This raised fears of IT Armageddon – worldwide chaos for banking, flights, hospitals and even scarier things like nuclear power plants. As I raised a class of champagne at midnight, watching fireworks over London’s skyline, I wondered what would happen.
In the end? Not much. Hence the Y2K bug has gone done in history as an epic piece of ‘Cry Wolfery’. Some even think the whole thing was a hoax.
GDPR is, in no way, a hoax.
Nor is it a fuss over nothing – this isn’t a technical glitch, it’s a careful and deliberate response to revolutionary advances in data technology and business practice, which aims to give individuals more protection. Some might think a year has gone by and not much has happened – unless you’re a lawyer and realise how long it takes for legislation to bed-in, and for cases to percolate through the courts.
Unlike the EU, which operates predominantly under statutes and civil law, UK regulators (who work under a common law system) take a more interpretative, careful and measured approach. Put it like this – EU civil law says ‘anything that isn’t permitted is forbidden’. UK common law says, ‘anything that isn’t forbidden is permitted’. It’s a subtle but crucial distinction. Although the UK system is more flexible and open to interpretation, it means we often rely on case law via decisions already tested in the courts. Until then? We can only use the guidelines we’re given, and show we’re operating in the spirit in which they’re intended. That is to say – what is or isn’t forbidden?
Although the ICO has rules and guidelines on how to enforce GDPR, and companies may accept their rulings, the regulator’s decisions are open to being challenged in UK Courts. The process of building up a body of case law might seem ponderous (although it isn’t – UK courts are good at making measured decisions on arcane points of law, a reason why so many international companies do business here), but it doesn’t mean nothing’s happening, or that nothing will. This may perhaps explain the ICO’s reluctance to jump in with knee-jerk decisions.
Under GDPR EU regulators, are of course, supposed to reach joint/harmonised decisions. However, if these reach the courts it is possible that a German court, for example, could take a different stance from a UK one.
Here are my thoughts on what has been happening and why there is more to come…
There have been ruling and fines: Fines totalling 56 million Euros were issued in the past year. Admittedly, most of this was a whopping fine against Google by the French Regulator, CNIL. Many suspect the regulators are just warming up.
There have been a number of rulings, for example, the Danish DPA found that a company’s voice recordings (for training purposes) were not lawful. The Polish DPA found a company, which sourced personal data indirectly for individuals, had failed to fulfil the right to be informed. The ICO has called out the HMRC on its voice ID authentication system, for which it found consent had not been collected.
Data Breach reporting: We have yet to see the repercussions of the thousands of personal data breaches that have been notified. The ICO, for one, reported a massive increase in reports of data breaches in the first month after 25 May last year – they received 1,700. This has levelled out, but they still receive about 400 a month. The ICO is faced with thousands of incidents to investigate and while we’ve been told there’s a degree of unnecessary reporting – watch this space.
Investigations take time: Stephen Eckersley from the ICO says their enforcement actions in the past year have mostly focused on legacy investigations, with fines handed to Uber, Facebook and Equifax for breaches of the previous law. GDPR breaches are being investigated, but they take time – especially with a substantial and growing backlog.
Fines aren’t the only enforcement tool: Fines are reserved for those who demonstrate a flagrant disregard the rules. Regulators have other powers – they can, for example, issue information notices, conduct audits, issue warnings etc. A number of organisations will have received information notices, in respect of a complaint the regulator has received, requesting an explanation. Failure to satisfactorily respond could put you on the regulator’s radar, as might multiple complaints.
As we know consumers are increasingly aware of their privacy rights – including the right to complain to a supervisory authority. If found to have done wrong, you may not get fined… but errors could be highlighted, impacting on your reputation.
Accountability matters: The ICO has been at pains to stress the requirement to be accountable, a core principle that runs throughout GDPR. I believe this is a key area where organisations may be found wanting. Can you demonstrate you’re taking data protection compliance seriously? I suspect the following (non-exhaustive list) pose risks for some:
- activities undertaken for which data protection impact assessments should’ve been conducted and documented
- an absence of, or very sketchy, record of processing activities
- legitimate interests without a supporting assessment
- a lack of adequate data protection training for staff who handle personal data
- suppliers (processors) being used without adequate due diligence and / or non-compliant contractual arrangements
On the last point, suppliers are seen as a key risk, recent surveys identifying third party suppliers as a majority cause of data breaches.
GDPR isn’t a one-off. It isn’t a glitch, or an unforeseen error. It’s a deliberate and developing response by governments and regulators to the unprecedented challenges presented by data privacy. Those who choose to see otherwise may be most likely to fall foul of it.
Philippa Donn, Senior Associate at the date protection consultancy Opt-4 & DPN Editor
22nd May 2019
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.