GDPR: is this thing on?

Was GDPR really such a big deal?

People started talking about the notorious GDPR in earnest in 2016. It was the veritable Eye of Sauron. It was definitely coming. And it was probably going to get you. Maybe your children too. There was a lot of talk about consent. If you overheard someone’s name or another piece of information that might identify them, it was best to get their explicit consent in writing. Ideally, in blood. There was a lot of misinformation (or at least misconstrued information), but we did at least get some super, if slightly nerdy, Twitter LOLz out of it, like this little gem:

By the time it came into force just over a year ago on 25 May 2018, lots of individuals and businesses had spent 1000s of hours (and pounds!) thinking about it and talking about it. Inboxes were flooded with emails containing consent requests and updated privacy notices. People were at their wits end.

And then there was silence. 26 May 2018 dawned as we knew it would and very little had changed. Indeed, in the months that followed, there was very little appreciable change. The ICO (the data protection supervisory authorities in the UK) allayed our fears by assuring us that it wasn’t going to start prosecuting data controllers and processors for non-compliance on 26 May 2018 and that, in fact, there was going to be an unofficial ‘grace period’ after GDPR came into force during which people would be allowed to ‘get their houses in order’.

Yes, GDPR was, and definitely is, a big deal!

Having said all that, it would be incorrect to think that, because the ICO took a seemingly lax approach in the past 12 months, so in shall be in the future. For one thing, the ICO has not exactly been sitting on its laurels for the last year. It has called out HMRC on its voice ID authentication system, for which it found consent had not been collected. It also reported a massive increase in reports of data breaches in the first month after GDPR became law. For another, investigations into GDPR take a long time (especially with a substantial and growing backlog) and the ICO has said that their enforcement actions in the past year have mainly been focused on legacy investigations (e.g. fines have been handed to Uber, Facebook and Equifax for breaches of the previous data protection law).

What to do?

With that in mind, now is the time to start paying attention to your GDPR compliance if you haven’t already. As has been widely reported, year two post-GDPR is not going to be a repeat of year one post-GDPR. As recently as last week, it was reported that the Data Protection Commission (the data protection supervisory authority in Ireland) has begun investigating Google for GDPR infringement.

Therefore, if you are a ‘data controller’ for the purposes of GDPR (as almost all businesses are, large or small) you should review your data processing activities and in particular you should ask yourself the following questions:

• WHO: Who are your data subjects (customers, employees, suppliers, others)?
• WHAT: What personal data do you process (for each category of data subject above)?
• WHY: For what purpose(s) do you process personal data (for each category of data subject above)?
• LEGAL BASIS: What is the legal basis on which you process personal data (consent is only one legal basis)?
• LIA: If you rely on the much discussed ‘legitimate interests’ basis, have you carried out and documented your ‘legitimate interests’ assessment?
• DATA PROCESSORS: Do you use third-party data processors (e.g. outsourced payroll, HR or IT providers)?
• DATA PROCESSING CONTRACT: If you do use third-party data processors, do you have a GDPR-compliant data processing agreement in place?
• O&T MEASURES: Do you maintain appropriate ‘organisational and technical measures’ (e.g. secure servers, encryption and pseudonymisation of data, password protection and staff training)?
• INTERNAL RECORDS: Do you maintain an appropriate internal record of your data processing activities?
• DIPA: Are you carrying out any activities which pose a particularly high data protection risk such that a data protection impact assessment is required?
• PECR: Have you thought about how your data processing compliance might also be impacted by Privacy and Electronic Communications Regulations (in particular in the context of any marketing materials that you might send out by email or by text)?

The list goes on, but it is worth bearing in mind that GDPR is generally regarded as a good thing. Its introduction in 2018 marked the most important change in European data and privacy regulation in 20 years. GDPR was never intended to prevent the processing of data (which is an integral part of commerce and life in the 21 Century), but it did impose important responsibilities on those who deal in personal data and it armed the citizens of European with actionable legal rights allowing them to ensure the protection their private information.

Briffa are experts in all aspects of data protection and intellectual property law and practice. If you would like to arrange a free consultant, please contact us on 020 7096 2779 or info@briffa.com. We have help our clients with everything from data protection audits, to drafting privacy notices and data processing agreements, to dealing with data breaches and we would be pleased to assist you.

Written by Éamon Chawke, Solicitor