GDPR – One Year On

data privacy

May 2018 marked a seismic shift in data privacy following the implementation of the General Data Protection Regulation (GDPR) and the Data Protection Act 2018.  Now, more than a year on, data protection lawyer Oliver Tidman looks at how the new regulatory landscape has changed, with a particular focus on SMEs and small businesses in the UK.

During the past year, there were over 240,000 cases across the EU involving data protection complaints or similar issues according to the EU Data Protection Board. The UK data protection regulator, The Information Commissioner’s Office (ICO) recently issued its first two notices of intention to fine (NOI) under GDPR at record levels: £183 million for British Airways and £99.3 million for Marriott International Inc. Both BA and Marriott have indicated they will lodge responses to the NOIs and if the fines are issued, both will likely appeal.

Those will not be the first group actions to be heard in the UK. Last year we reported on supermarket chain Morrisons which was found to be vicariously liable for the actions of one of its employees who unlawfully uploaded staff payroll data online. If Morrisons appeal to the Supreme Court fails, it faces paying out compensation to over 5,000 claimants.

These high profile case studies are examples for small businesses to avoid. Adequate risk assessments in relation to the data being held should be conducted regularly as well as checking the liability provisions in polices and processor contracts.

What does the future hold for data privacy?

The small business sector is growing in the UK, with 99% of our 5.7 million businesses employing fewer than 249 people. When it comes to data privacy and protection, small businesses tend to be less prepared. Although the big fines against large businesses like BA and Marriott often make the headlines, the ICO has warned SMEs that the period to get your ducks in a row is now over.

Whether the long-anticipated update to the Privacy Electronic Communications Regulations (PECR) happens remains to be seen.  PECR currently provides specific rules in relation to privacy and electronic communications (with consent being a requirement for many such communications) and in relation to the use of cookies. The GDPR standard for consent is that it is freely given, specific, informed and unambiguous for each purpose.

The ICO has issued new guidance which makes clear that if cookies require consent under PECR (which they will do unless they are essential to provide an online service at someone’s request), one of the alternative lawful bases from GDPR cannot be used to set them and GDPR’s standard of consent must be obtained.  Although the GDPR standard for consent has become the norm for activities covered by PECR requiring consent, many businesses are still struggling to get it right.

If your small business is in the ad tech space, this is also a major focus of the GDPR and the ICO has said that web- and cross-device tracking for marketing is a regulatory priority for the coming year.

Business data controllers and processors need to continually monitor compliance and keep a close eye on regulatory and industry developments to ensure information rights obligations are not breached.

For advice on how to comply with the evolving data privacy regulations or best practice when collecting, sharing or processing data, please contact us.