General Data Protection Regulation Countdown – 9 months to go
With 9 months to go until the GDPR takes effect, organisations should (if they have not done so already) be in the process of auditing their data processing practices. This should include identifying what personal data is held, why it is held and what the current legal basis is for holding the personal data. An audit should also cover data protection policies, procedures and governance measures, with a plan to implement/update them as required being put in place.
Undertaking a data protection audit can be a time consuming exercise involving a number of different people (for example, the Heads of HR, Marketing and IT). If you require any assistance with carrying out a data protection audit, or if you would like any training on how to conduct a data protection audit, please do not hesitate to contact us.
Data Protection in the News
Data protection has been front-page news over the last few weeks with the Government outlining its>click here. Meanwhile, the Information Commissioner's Office ("ICO") has been busy from an enforcement perspective. We have outlined recent enforcement action below along with the lessons which can be learnt.
It is important to remember that these cases represent situations where the ICO has chosen to use its fining powers, which is only one of several enforcement measures at its disposal. The ICO has for a long time been a regulator which is keen to encourage compliance rather than taking too heavy handed an approach when it comes to financial penalties. The current Information Commissioner, Elizabeth Denham, this month posted a blog making clear that the ICO will continue to adopt a proportionate approach when it comes to any decision over the use of - or level of - fines issued once the GDPR comes into force.
Recent Enforcement Action
Moneysupermarket.com Ltd has been fined £80,000 by the ICO for sending 7.1 million emails to customers who had opted out of receiving direct marketing. The emails attached Moneysupermarket's updated terms and conditions and asked the customers if they wanted to change their mind about opting out. The ICO commented that:
"When people opt out of direct marketing, organisations must stop sending it, no questions asked, until such time as the consumer gives their consent. They don't get a chance to persuade people to change their minds."
Organisations should review what consent mechanisms they have in place. For further information on consent under the GDPR, please click here.
A recruitment manager has been prosecuted and fined £573, as well as ordered to pay costs of £364 and a victim surcharge of £57 (totalling £994) for illegally disclosing 26 CVs containing the personal information of HomeServe job applicants to a third party employment agency.
Whilst the case primarily serves as a warning to employees about the potential consequences of illegally sharing personal data they have access to, organisations should also take note and ensure that they have appropriate policies and procedures in place and ensure that staff are trained on how to handle personal data.
Boomerang Video Ltd has been fined £60,000 after it suffered a cyber attack which resulted in 26,331 customer details being accessed by hackers. The subsequent ICO investigation found that Boomerang Video failed to take appropriate security measures to protect its customers' information from cyber attackers.
Cyber attacks are a constant threat to organisations. If an organisation suffers a cyber attack then it could significantly impede that organisation's operations. In addition, it is clear from the above that the ICO will want to know whether the organisation adopted appropriate technological and security measure to reduce the threat of the cyber attack. If it has not then a fine may follow. Organisations should therefore ensure that appropriate technological and security measures are implemented, and that they are tested and updated regularly.
This article is for general guidance only. It provides useful information in a concise form. Action should not be taken without obtaining specific legal advice.