The GDPR became law on the 25th May 2018 across all member states of the European Union. Where we are with it right now in the UK?
In the words of the EU, GDPR is both “an effort to simplify regulations for (EU) businesses” and “to give citizens back the control of their personal data”. This change in the data protection laws governing business and the public sector was the most profound for all UK companies since the introduction of the Data Protection Act 1998 and across the EU by the Privacy and Electronic Communications Directive in 2002.
What is the GDPR?
Since its introduction in May 2018, if a natural person can be identified from the data that an organisation holds on them, then it is now considered personal data.
Take the case of the fictional Joan Jet, working as a commercial disputes solicitor (the firm she works for is incorporated). Joan’s personal email address (for example firstname.lastname@example.org) will be covered by the GDPR. When Joan is working at her firm and she receives her emails at email@example.com, this is now also considered personal information whereas before it could be argued not to be.
The fact that she is identifiable is all that matters.
Because we know that the formatting of the data has enough in it for us to be able to correctly assume Joan’s identity, there are certain ways in which Joan’s information can be collected and in the way that Joan’s information has to be treated. Her data must be treated specifically “for legitimate, explicit, and specified reasons”.
GDPR means that Joan now has much more control over her data than she has ever had before legally.
Let’s say that your firm held Joan’s data. That is fine as long as the following conditions are met:
- You must process her data transparently, fairly, and lawfully
- You must only keep the data needed for processing – each field of data has to be “adequate” and “relevant”
- You must keep her data accurate and up-to-date
- You must keep and process her data in a way that offers her the maximum security
- You must only keep her data for as long as you need it for processing
- You must make all of the data you hold on Joan accessible to her on request
- You must inform Joan of how you want to use her data (including sending it to other firms) and get permission for each desired method of use in advance from her.
You will likely hold information of a nature and type that is incredibly personally important and sensitive about Joan because you and your firm represent her legally. The GDPR expects you to look after Joan’s data in a much broader ways than the laws that preceded it required.
What are the penalties for getting it wrong?
If you commit a breach of the GDPR rules, you must notify the Information Commissioner’s Office (ICO) within three days telling them about the nature and extent of the breach. Depending on the severity of the breach and depending on how rigorous they believe your response has been, the ICO may visit your premises as part of their investigation. They will want to be sure that your firm did everything it possibly could to prevent the breach.
Also within three days, you must make personal contact with anyone whose personal data may have been compromised or affected by the breach. In your communication with them, you must let them know of the risk (and level of risk) their personal information has been exposed to.
In the worst possible cases of a data breach, it is within the power of the ICO to find you up to 4% of your global turnover or E2,000,000.
The GDPR became law on the 25th May 2018. Where we are with it right now?
Data breach reports up four times since GDPR introduction
As reported on the Legal Futures website, the Information Commissioner’s Office (ICO) has seen an increase in the number of incidences of reported data breaches – up over 4 times to 14,000 in 2018 than in 2017. The number of complaints made by consumers to the ICO has more than doubled to 41,054.
Major breaches recorded in 2018 include cases involving the Police Federation, Amazon, Marriott International, British Airways, Equifax, and Ticketmaster against which a £5m joint damages claim has been launched under the direction of Hayes Connors Solicitors.
“59,000 reported GDPR breaches across Europe”
The number of ICO breaches topped 14,000 in the UK but reached over 59,000 across the whole of the European Union. The UK, Germany, and Netherlands saw the greatest number of breaches in total although the highest number of breaches per head of population occurred in the Netherlands, Ireland, and Denmark.
In a report by DLA Piper, they found that 91 fines for breaches had been reported, the largest of which was against Google for €50m by the French Authorities. Sam Millar, a partner at DLA Piper, stated that “we anticipate that regulators will treat data breach more harshly by imposing higher fines given the more acute risk of harm to individuals. We can expect more fines to follow over the coming year as the regulators clear the backlog of notifications.”
The full report can be downloaded here.
GDPR is "holding European tech companies back"
63% of Europeans have not heard of GDPR, according to Eurobarometer, and, surprisingly, users of the internet in 9 different EU states feel as if they had more control over their own personal data in pre-GDPR 2015 than they do now. Worse still, trust from EU consumers in the internet has dropped to its lowest in a decade, according to the EU’s own pollsters.
Since GDPR, according to the FT, venture funding for EU tech firms has dropped by a third. In the same article, written by correspondent Eline Chivot, use of personal data in AI systems has been impacted making credit decisions harder. She also reported that 74% of respondents to a survey carried out by Germany’s digital trade association, Bitkom, said that the new data protection requirement were “the main obstacle” to new technology development.
A large UK GDPR fine may be coming
Pincent Masons’ cybersecurity division have launched a white paper commenting on the impact it believes that GDPR has had in the year or more since it became law, reports Irish News.
Technology is still a prime business driver as companies seek to gain technological and competitive advantages. However, this focus on technology may leave a company more vulnerable to a cyber attack although Pinsent Masons report that “cyber security is high on board agendas”.
Where a breach did occur, around half of companies discovered within the 72 hour reporting window imposed by GDPR. The ICO have been relatively lenient on businesses which have failed to meet their obligations so far however Pincent Masons warns that “the ICO has indicated that a “large fine” can be expected within weeks.”
GDPR and small businesses
For smaller businesses, the burden of GDPR in terms of money and personnel time spent on complying with the law is much greater proportionately than it is for larger businesses and public sector clients. 90% of SME owners do not know what rights GDPR grants consumers whose data they hold and awareness of GDPR itself has actually dropped within the small business community since it became law, according to CPO Magazine.
GDPR, the legal profession, and Sprout IT
Sprout IT provides high quality legal IT support, cloud & consultancy for the legal industry, 24/7 service, 365 days. Under GDPR, your legal firm can outsource the DPO role to an external provider like Sprout IT. We offer a governance and compliance service with measurable ROI. Click here to find out more.
To speak with one of our team about GDPR and your practice/chambers, call us today on 020 7036 8530 or email us.