GDPR 1 Year On

May 25th, 2018

The GDPR came into force on the 25th May, 2018. From that point onwards, any organisation around the world processing data relating to European citizens had to comply with the new data security laws

GDPR 1^st Anniversary

Information from the European Data Protection Board (EDPB) report published in February 2019

Total fines issued:
€55,955,871

Number of Data Breaches reported by a data controller:
64,684

Individual complaints received:
94,622

Full report: http://www.europarl.europa.eu/meetdocs/2014_2019/plmrep/COMMITTEES/LIBE/DV/2019/02-25/9_EDPB_report_EN.pdf 

GDPR vs. Global Brands

Many tech giants set their European headquarters in the Republic of Ireland. Facebook, Google, Apple, Microsoft, Twitter, Dropbox and many more fell under the GDPR as applied in Ireland.

The Irish Data Protection Commission said that in the first year of GDPR, the subject of most data investigations involved the tech giants, with Facebook and it’s brands Instagram and WhatsApp being the most investigated.

Google has already received a £44,000,000 fine from the French data regulator CNIL for it’s handling of personal data in targeted advertising, it is also facing another investigation from the Irish DPC for similar offences.

The tech giants, along with everyone else, had two years notice of the new regulations, but it appears many of them chose to make the minimal effort to adjust to the regulations.

In the USA, individuals have less robust data protection and privacy laws, and its thought that many global companies set the USA standards as the defacto standard. European GDPR sets the bar much higher and gives individuals much more control over the use of their data.

Information Commissioner’s Office

ICO Enforcement

Data taken from the ICO enforcement page May 25th 2018 – 12 February 2019

ICO Fines issued:
34 (£3,335,000)

ICO Actions Taken:
59

ICO Prosecutions against individuals:
9

Penalties issued to data controllers who have not registered: 103

16 of those were for the maximum amount of £4,000 18 of those were for organisations in the financial/pensions industry Organisations in Construction, Manufacturers, Services and Health were also commonly fined

PECR Nuisance calls & messages reported: 51,314	…of those: 26% were for accident claims 15% were for broadband and telecoms services 9% were for PPI 8% were for computer scams
PECR Spam text messages 13,623	..of those: 12% were for charities 8% were for banking scams 5% were for energy saving companies 3% were for accident claims
PECR Automated calls: 13,623	…of those: 40% were for accident claims 17% were for broadband and telecoms services 11% were for PPI 8% were for Computer scams

Number of complaints about the use of cookies:
949

Some of these fines were a result of complaints made under the Data Protection Act 1998 before the GDPR came into force. The powers available to the ICO and the level of fines that could be issued were significantly lower under the old DPA.

 https://ico.org.uk/action-weve-taken/ 

The ICO is responsible for GDPR Compliance in the UK. If an organisation poresses personal data it is required to be registered with the ICO and to comply with the GDPR, regardless of size.

The ICO have stated that they are looking for organisations to develop on their compliance to include data security by default. This means that any changes or new functions within the organisation will include GDPR as part of the process.

Polish Data Protection Officer fines polish company €220,000 for processing the personal information of people without making them aware of the processing.

https://edpb.europa.eu/news/national-news/2019/first-fine-imposed-president-personal-data-protection-office_en

Data Protection Officers

DPO’s are a requirement for some organisations, and recommended for other smaller organisations. Organisations can make user of external third party DPO’s to help keep costs down and to being in the required experience.

Over 500,000 organisations registered DPO’s across Europe since the introduction of the GDPR

Data Protection Offices

Data taken from JAPP May 2019

Estimated DPO’s:
500,000

Documented DPO’s: 375,000

182,000 in Germany 51,000 in France 48,000 in Italy 32,000 in the UK 30,000 in Spain

Number of cases received by DPOs:
280,000

https://iapp.org/resources/article/gdpr-one-year-anniversary-infographic/ 

A (very quick) overview of what the GDPR is.

Personally Identifiable Data

Personally Identifiable Data is any information that can be used to identify an individual. Obvious data like someone’s name or customer reference number, and less obvious data like a photo, customer number or CCTV image.

Data Subject

The Data Subject is the individual that the personally identifiable data relates to.

Special Category Data

Some information falls under ‘special category data’ this information has extra precautions on it, such as needing explicit consent for processing it.

Special Category Data includes health, ethnic, religious, biometric and sexual information.

What is meant by ‘processing’?

How data is processed is the core of the GDPR. Processing data means any operation performed on data, such as collecting, storing, recording, organising, retrieval, transmission and so on. The data can be digital, paper based or in any other organised structure.

What consent is required?

If you’re collecting information, you need to give the data subject sufficient information about why you’re collecting the information, what you’re going to use it for and how long you’re hold onto it.

If you plan to use the data for a number of reasons (such as for sending marketing information and for processing an order) you need to give the data subject the option to select each use individually.

If you’ve acquired the data not directly from the data subject, you have a limited time to alert the data subject of how and why you received their data, where it came from, how you plan to use it and to give the data subject information on their rights.

If you’re processing special category data, you need to get explicit consent from the data subject before processing.

Not just consent

Consent is only one of a number of lawful basis for processing personally identifiable information. The GDPR give a number of alternatives that might be more appropriate for your situation.

What rights do you have?

As a Data Subject, you have the following rights to manage how your personally identifiable data is used:

• The right to be informed
  You have the right to be informed about how and why your personally identifiable information is being processed.
• The right of access
  You have the right to request access to any personally identifiable information any organisation holds about you.
• The right to rectification
  You have the right to have accurate information processed. If an organisation has inaccurate information they are required to correct it.
• The right to erasure
  You have the right to have information erased after it’s lawful processing has completed.
• The right to restrict processing
  You have the right to restrict further processing of your personally identifiable information.
• The right to data portability
  In some situations, you have the right to receive a portable copy of your personally identifiable information in a format that can be easily transported to a different provider.
• The right to object
  In some situations you have the right to object to the processing of your personally identifiable data.
• Rights in relation to automated decision making and profiling
  If data is being processed automatically and determining your eligibility for some service, you have the right to object to the automated decision making.

GDPR Myths

GDPR Prevents data sharing
This is not true, the GDPR does put security and precautions on how data can be shared, such as the type of data that can be shared, the reason for sharing, who it can be shared with and how the data subject needs to be notified. As long as the reason for sharing data is legal and legitimate and the data subject has been made aware of the share, and given the option to not have their data shared, it is fine to share the information.

American tech giants will ignore the GDPR
A lot of tech giants have their European headquarters in Ireland, the Irish DPA responsible for enforcing GDPR in Ireland is already investigating some of the big global names like Facebook and Apple. The French DPA have already issued a massive £44,000,000 fine against Google over it’s lack of transparency.

California have since released it’s own version of the GDPR, it’s the USA’s most comprehensive data protection laws, and it’s got a lot of support, there have already been calls for a GDPR like US-wide federal law protecting personally identifiable information.

Consent is required for everything
While Consent is a lawful basis for processing information, it’s not the only one. GDPR gives organisations several basis for processing personally identifiable information. You should make sure you’re using the right basis for your processing as ti can affect the rights that users have to their information.

You can’t use marketing emails
Under the GDPR, you need to make data subjects aware how you’re going to process their information. As long as the user chooses (opts IN) to receive marketing information, it’s perfectly fine to use their information in that way.

We don’t use computers, GDPR is only about digital information
The GDPR applies irrespective of the type of filing system you use. If you’re processing information that the GDPR covers, you need to be registered and compliant with the GDPR.

Other information that might be of interest.

Caldicott Report on the handling of medical information.
https://www.igt.hscic.gov.uk/Caldicott2Principles.aspx?tk=436113758099715&lnv=18&cb=3dc43b21-7fd7-4897-af04-0c027c7dd4a3