They think it’s all over!

Business Insights

Happy New Year 2019!!!

25 May 2018, when GDPR became the new standard for data protection in Europe, seems a long time ago. Data protection has settled down, the panic is over. The whole "GDPR thing" is over and done. We have new problems to manage, including Brexit scenarios.

But is it all over? We are certain that it is not.

Throughout 2018 we saw continued reporting of data protection breaches: Uber fined £385,000 for security breaches; British Airways under investigation for security breaches exposing personal data of its customers; Heathrow airport fined £120,000 over a lost memory stick; Facebook under investigation for unlawful data sharing with third parties; Microsoft under investigation in the Netherlands for storing personal data without notice to consumers and storing it in the US without compliance safeguards; BUPA fined £175,000 for systemic data protection failings and the Conservative party app which published users' details to other users! All cases that underline the need for a robust data protection law. But where were the eyewatering fines?

Up to 4% of annual global turnover or £17m whichever is the greater.

Fines currently being reported in the media and by the ICO relate to activity before 25 May when the 1998 Data Protection Act applied. Those fines are capped at £500,000. Fines under GDPR have not yet worked their way through the ICO's investigation process.

The first fines for failing to register for data protection in the UK were announced on 28 November 2018 with manufacturing, business services, construction, finance, health and childcare sectors being targeted. Monetary penalties under GDPR are sure to follow early this year.

What is new for 2019?

The Information Commissioner's Office has published stacks of guidance on GDPR recently. There is help for small businesses, guidance on carrying out Data Protection Impact Assessments, and guidance on key data protection themes: using children's data; marketing; political campaigning; data sharing; journalism; national security; and various technologies.

And in addition to GDPR?

A new UK Data Protection Act 2018 came into effect in 2018. In case you missed any of it,

· It supplements the conditions for lawful processing special category data (health, race, religion etc) and introduces a new requirement if you rely on any of those conditions - the need for an Appropriate Policy on the use of Special Category Data.

· It creates new offences of reengineering anonymised personal data and actions designed to frustrate a subject access request as well as reintroducing unlawful obtaining and disclosure of personal data

Breaches of GDPR do not carry custodial sentences (yet!) but the ICO used the Computer Misuse Act 1990 to prosecute an employee at a garage which carried out repairs on cars following road traffic accidents who stole the personal data of customers and sold it to claims management companies who spammed the customers with offers to follow up the claim on their behalf. The employee received a six month gaol sentence.

What's next?

The EU's ePrivacy Regulation should be finalised in 2019 and it looks likely that the UK will adopt it to mirror EU regulation. The ePrivacy Regulation is a reform of the cookie rules and electronic marketing consents. It works with GDPR and provides a framework of specific data protection rules for electronic marketing activity. It also includes a range of new communication channels and technology including the Internet of Things and Skype for example. Fines for offences under the Regulation have been synchronised with GDPR level fines:

Up to 4% of annual global turnover or £17m whichever is the greater.