On 25 May, the General Data Protection Regulation (GDPR) will have been in force for a year. In the run-up to the GDPR taking effect, the news was ablaze with predictions of enormous fines and a barrage of confusing advice from data protection specialists and would-be experts. Twelve months later, the sky has not fallen in, though from a data-protection perspective 'business as usual' is noticeably busier.
GDPR sought to enhance data protection by imposing more stringent obligations on organisations and granting individuals broader rights. Of those rights, probably the biggest impact on businesses arises from the right of access, and the right to erasure (commonly known as 'the right to be forgotten'), thanks to an ever-more informed public.
The right of access is not new, having been introduced by the Data Protection Act 1998 (DPA). It grants individuals the right to a copy of the personal data held about them by organisations. However, under the GDPR the response period was reduced from 40 days to one month, and a fee cannot usually be charged. Subject access requests (or 'DSARs') can be very time consuming.
For instance, a request from a disgruntled long-serving ex-employee might typically be for 'all the personal data you hold about me'; a search of a company's IT systems against that ex-employee's name could potentially generate tens of thousands of 'hits', though many of these will be false positives. Further analysis will be required to remove references to other individuals, and any personal data that is subject to an exemption. Meanwhile, the right to erasure is frequently misunderstood, and only applies in certain circumstances – nonetheless, dealing with access and erasure requests alike is time consuming and disruptive for businesses.
GDPR introduced the obligation for organisations to report personal data breaches to the Information Commissioner's Office (ICO) within 72 hours of becoming aware. Breaches that are likely to result in harm must also be reported to affected individuals. Typical personal data breaches include cyber attacks (or 'hacking'), lost documents, and lost or stolen electronic devices such as smartphones and tablets. Unfortunately for organisations, breach reports may precipitate an ICO investigation, and if this reveals inadequate data protection measures, the organisation may be in trouble. Organisations must also maintain a record of 'near misses' in a data breach log, for the ICO's inspection, should the need arise.
The GDPR introduced the accountability principle. It means organisations must not only comply but must be able to demonstrate compliance, for example by way of documented policies, processes and the 'record of processing activities' or ROPA. The ROPA is a description of the personal data held by an organisation, along with other information such as the purpose of processing and recipients. In practice, organisations typically maintain a number of ROPAs, including one for the personal data held for HR purposes.
GDPR requires businesses to be more proactive in their compliance measures than the previous law. One pertinent observation of GDPR is that it means organisations need to be 'better at data protection'. In practice, this means more work as organisations are required to implement more extensive compliance measures.
Developments in the coming year
To address the elephant in the room first, both the government and the ICO have confirmed that the provisions of GDPR will remain in effect in the UK post-Brexit. However, whether or not the UK becomes an 'approved country' for the purposes of receiving personal data from the remaining EU member states (for instance, personal data in HR records from continental Europe) remains to be seen. All organisations can realistically do is continue to watch this space.
The ICO is one of the more active data protection authorities, however it has not yet issued a fine under the GDPR as it continues to work through breaches that took place while the DPA was still in force. The coming year is likely to witness the first UK fines under GDPR, and it will be interesting to see whether they live up to the hype.
James Castro-Edwards is a partner at Wedlake Bell LLP, and leads the firm’s outsourced data protection officer service, ProDPO