GDPR – review of the first 5 months
It’s almost 5 months to the day that the General Data Protection Regulation (GDPR) came into force in the UK. The months leading up to 25 March 2018 led to a whirlwind of activity in our office as businesses raced to put the necessary in place to be compliant by the deadline. The potential fines of up to £20 million or 4% of turnover (whichever is greater) for failing to comply were clearly sufficiently punitive to drive business to take action before the deadline date. Now the immediate flurry of work is over businesses need to be alive to data protection issues in their business and stay vigilant to ensure compliance. Care with use of personal data is the new normal and way of life and not a one off exercise. There is definitely a heightened awareness in the business community of the benefits of being able to reassure customers that your use of their data is fair and reasonable. If there is one positive outcome from the Cambridge Analytica and Facebook scandal in which the UK based organisation was accused of using data which had been given to Facebook to influence voters in the last US presidential election, it is that people now understand more the value of their data and the power of people who have free reign to use it.
Meanwhile we are now just starting to see the approach of the Courts to data breaches. We have reported previously on the case against Google for using Safari Workaround to track users who had switched off this function. In that case the judge found that the individuals concerned had not showed they had suffered damage or distress and so they failed at the first hurdle. An even more interesting case is the claim brought by a number of employees against their employer the supermarket Morrisons. In that case a rogue employee had copied employee data from the supermarkets system and posted it online leading to a claim for compensation by the affected employees. The judge hearing the case found Morrisons liable for the acts of its employee. The decision has however been appealed and the case was heard last week. At the hearing more was made of the need to strike a balance between protecting individuals privacy and allowing free flow and the exact circumstance so how this breach came about was considered in detail. Will the court follow the decision of the first instance judge, or seek to lay down guidelines as to whether the company is liable for a breach caused by an employee where that employee is so clearly acting independently of the employer. We wait the decision with interest. One thing that is certain is that claims for compensation for data breaches are going to become more common and businesses need to know the proactive steps they can take to mitigate the risk of litigation and liability for breach such as rapid action to remedy the breach when it happens.
Written by Margaret Briffa