First GDPR fines expected as privacy legislation ‘celebrates’ 1st birthday


On 25 May, General Data Protection Regulation (GDPR) ‘celebrates’ its first anniversary of being legally enforceable. There’s still much confusion about what businesses need to do to comply so we thought we’d find out.

We spoke to Andy Chesterman of Bedford based DAMM Solutions to get the low-down on GDPR and what, if anything, still needs to be done.

“This time last year, many ‘experts’ were scaremongering”, says Andy. “They used the threat of fines to win business (up to 4% of annual global turnover or €20m, or 2% of annual global turnover or €10m), however to date, no fines have been issued by the Information Commissioners’ Office (ICO).”

That’s good news, but this will not be the case forever. Andy believes the first fines and enforcement are expected this year.

He continues: “In our experience, the greatest challenges to business have instead come from the supply chain asking contractors or suppliers to demonstrate their compliance by providing specific documents or assurances as to how the business protects personal data.

“Many tender documents now contain a section on GDPR compliance and much of our business is generated from companies requiring professional assistance to create such documents and respond to the tenders.

“Many businesses I speak to tell me “they’ve done it”. A quick check on their website for a Privacy Policy – and I can’t find one.”

“This alone is a breach of the transparency principle of GDPR. You should be telling me what personal data you use in-house and how it is used.”

Does your privacy policy go far enough?

Even when a company does have a privacy policy, Andy says that they don’t always go far enough, with many providing a vague document that tells the reader very little about the businesses processing activities.

Many also have basic errors such as quoting the Data Protection Act, 1998, which is now defunct, or gives incorrect information on data subject rights.

Some even still charge a fee for the supply of data, or requiring 40 days to respond, all things that the GDPR legislation of 2018 sought to get rid of.

This same legislation dictates that privacy policies should be accurate to data subject rights, reviewed annually and contain details of the last update.

But it’s not just about complying with legislation. Andy says it makes good customer service too: “A website is a shop window for many organisations and the quality of the privacy documentation within it tells much about your GDPR preparations internally.

“If you can’t demonstrate the absolute basics, how can a customer be confident you are able to provide the appropriate protection to my personal data if I engage with you, and how good are you at your business overall?”

GDPR isn’t optional

Data protection legislation is not optional, it’s the law, and it’s already been around for decades. The main difference with the GDPR to previous versions is the accountability principle.

Organisations now have to prove they comply, rather than just claim it. This is achieved by creating policy documents (starting with the Privacy Policy!) to detail how personal data is used and how the structure of the business governs this use.

Some facts based on activity across the EU during the first 12 months:

  • In a report published in February, there have been more than 10,000 data breaches reported to the ICO – Information Commissioners’ Office. This was the 3rd highest in Europe, behind only the Netherlands (15,400) and Germany (12,600). (DLA Piper).
  • 91 fines have been issued across Europe. The largest to date went to Google which was fined £44m for failing to acquire appropriate consent for advertising and lack of transparency around the use of data for advertising (DLA Piper). No fines have been issued in the UK yet, but it is believed the first monetary penalties are imminent.
  • In a recent speech, to the IAPP, the ICO advised they are focusing their investigations on failures around the principles of transparency and fairness of processing – this refers directly to the availability of privacy policies and their accuracy in portraying the activities of a business.
  • In the month after the 25th May, 2018, the ICO received a sharp rise in data protection complaints – 6,281, more than twice as many as the same period in 2017. (IAPP)
  • 375,000 organisations in the EU are KNOWN to have registered Data Protection Officers – more than 32,000 of these are UK firms. (IAPP)

So what should Bedford businesses do to make sure they are, and remain, GDPR prepared?

  1. Register with the Information Commissioners’ Office? (ICO). This is a legal requirement for most organisations, with fines being imposed for non-registration.
  2. Conduct a full review of all personal data you hold in-house, on a departmental basis. Where it came from, who you share it with and how, how long do you keep it for?
  3. Consider what lawful basis you have for processing this data – and document this in each instance. Remember, there are six lawful bases and consent is just one. You may have multiple lawful bases.
  4. Review your supplier contracts as many will need privacy-specific addendums. As the data controller, you are now liable for the processing activities of your suppliers (data processors).
  5. Creation of policies (including a privacy policy) to reflect how the business uses, stores and transfers personal data – these documents should be created from the detailed review you have conducted mentioned in point two.
  6. Your policies should be reviewed and updated every year, developing as the business grows and how your use of personal data changes.
  7. Staff training should be scheduled regularly to ensure a culture of data protection is maintained across the business – especially with new starters.
  8. Do you need a data protection officer (DPO)? Under GDPR, a DPO is mandatory in certain circumstances. Any DPO you nominate should be appropriate for the role and there should be no conflict of interests. For example, a senior director cannot assume the role. The DPO should be in place to protect the interests of the data subjects, not the commercial interests of the business.
  9. Do you have the appropriate processes in place to identify, report, manage and resolve any personal data breaches? You now have 72 hours to investigate and potentially report a breach to the ICO from the moment it is discovered.
  10. The GDPR and Data Protection Act, 2018 detail your obligations to protect the rights and freedoms of those whose personal data you collect and hold. It also requires you to have the appropriate processes in place to react to any requests those individuals submit in relation to their personal data.

One big questions Andy says he gets a lot surrounds the source of GDPR. It’s an EU law so will it mean we won’t have to comply when we leave Europe?

Andy says it’s not that simple: “Brexit will make no difference. The Data Protection Act, 2018 will still apply and, barring a few minor alterations for reasons of national security, this reflects the demands of the GDPR.”