Businesses have been warned to expect authorities to start cracking down on breaches of the General Data Protection Regulation (GDPR), as the landmark legislation turns a year old this weekend.
The Europe-wide data protection rules came into force on 25 May 2018, forcing many employers to rethink how they handle employee data, and massively increasing the potential fines for data breaches.
In that time, a number of trends have stood out for employers, says Stefan Martin, partner at Hogan Lovells.
The number of employees trying to using subject data requests as a way to access documents that may help them in an employment dispute continues to rise. “The GDPR seems to have heightened awareness of this as a litigation tactic and the removal of fees means there is no reason for employees not to make a request,” said Martin.
- The GDPR implications of monitoring your workforce
- Effective pre-employment screening
- Handling subject access requests
“Employers are having to take requests seriously because of the risk of potentially significant penalties if they do not.”
Organisations have also had to rethink their pre-employment screening. Unlike the old Data Protection Act 1998, under which employers could assume that, as long as they had consent, they could run background checks on potential recruits, under GDPR this is no longer the case.
“It is much more important for an employer to identify whether it has a legitimate interest in running a check, and whether the check it wants to run is proportionate,” said Martin.
“The conditions for processing sensitive personal data have proved problematic in some cases. Pre-employment medical checks used to be regarded as routine and uncontroversial, but it is clear that checks that an employee regards as unduly intrusive are open to challenge under the GDPR.”
Martin added many employers were nervous about the possibility of vicarious liability in the event an employee breaches data protection law, even if the organisation had complied with all its obligations – as Morrisons experienced when an employee stole data including names, addresses, salaries and bank details of almost 100,000 staff.
The supermarket was found liable by the High Court: a ruling that was upheld by the Court of Appeal. It is now appealing to the Supreme Court.
The other concern raised by experts was that, in the year since GDPR has come into force, there has yet to be a major fine as a result of a breach. This has led some to believe that the anniversary will bring a crackdown on compliance.
“While settlement of pre-GDPR data protection cases will have overlapped this period of relative calm, companies should anticipate – and continue to mitigate against – the regulatory action still to come,” said Peter Gooch, cyber risk partner at Deloitte.
The firm Collyer Bristow also expects the anniversary to be marked by big fines. There have been some high profile cases, notably the Vote Leave campaign, Uber and Google – the latter of which was fined €50 million for data breaches by the French authorities.
However, so far the Information Commissioner’s Office (ICO) has issued just 127 enforcement notices for an estimated 10,000 data breaches in the UK and 59,000 breaches across the EU 2018.
“There are good reasons for the ICO to make its presence felt now,” said Patrick Wheeler, partner and head of intellectual property and data protection at Collyer Bristow. “In the last 12 months we have seen major data breaches from, to name just a few, British Airways, Ticketmaster, Facebook and HMRC.
“The ICO will want to show that it takes its responsibilities seriously, that it has teeth, and that it wants businesses to work hard to comply.”