We’re nearly 6 months down the line since the implementation of the General Data Protection Regulation (GDPR) and there are already some indications as to its impact. The ICO has shown that it means business and there are no signs that data protection issues will be fading into the background any time soon, with calls for other countries to follow suit as even the Apple Chief Executive calls for tougher laws in the US.
The ICO’s Deputy Commissioner (Operations) made a speech at the CBI Cyber Security Conference highlighting the GDPR reporting trends and reminding organisations of the need to assign sufficient resources to the managing of data breaches.
Organisations are struggling with the 72-hour reporting period (and there was a reminder that this is not working hours) and there have been issues regarding incomplete reports, something that the ICO does not seem to be particularly sympathetic towards given guidance issued on the subject.
It was also revealed that roughly one third of the 500 calls a week to the ICO’s breach reporting line come from organisations that decide after discussion that the breach does not meet the reporting threshold. Whilst this cautious approach is understandable given the relative panic in the lead up to the implementation of the GDPR, the ICO confirmed that they will discourage this trend towards over-reporting once the new threshold has become more familiar to businesses.
Data breaches and complaints
Between 25 May and 3 July 2018 there was a 160% increase in data breach complaints in comparison with the same period last year, which is perhaps to be expected given the widespread media attention afforded to the new legislation.
The first formal notice has been issued under the new legislation with AggregateIQ (AIQ), a Canadian analytics firm, being accused of processing people's data "for purposes which they would not have expected" during the Brexit referendum campaign. Interestingly, although the data was gathered before 25 May when the GDPR came into effect, the ICO has said that it still applies due to their concerns regarding AIQ’s continued retention and processing of data after that date.
We will have to wait to see the outcome of AIQ’s appeal, however this serves as a stark warning to businesses that actions taken before the GDPR came into effect are not immune from sanctions and that companies outside the EU need to be just as aware of the rules as those within it if they transfer data out of the EU or target European markets.
Subject access requests
The new legislation gives additional rights to employees and makes the process of making subject access requests (SARs) simpler. There is now no restriction on the number or regularity of SARs, employers cannot generally charge a fee and they must respond within a shorter timeframe. This, coupled with an increased awareness of data protection rights, has resulted in employers seeing a sharp rise in SARs from staff members.
The significant administrative and financial burden is something that companies may have failed to plan for in the lead up to the implementation of the GDPR. However, with the ICO confirming that mishandling of SARs remains the main source of complaint under the legislation, employers must be careful not to ignore them however much of an unwelcome distraction they may be.