Businesses took vastly differing approaches in their seeking to achieve compliance with GDPR (including as to their timetable). That said, most took the task very seriously.
The Data Protection Act 2018 (DPA2018) itself, however, came to the statute books rather late, putting businesses under pressure to map over whether compliance with GDPR meant compliance with the DPA2018 and whether there were additional nuances.
In any event, data protection is not the kind of ‘compliance’ that means that you can ever say: ‘job done’.
Money, money, money
The greater financial responsibility for any breaches of the GDPR has been a key driver for many businesses in their efforts to be as compliant as possible and, crucially, to maintain continuing compliance.
There are two levels of fines under the GDPR: a fine of up to €10 million or two per cent of the company’s global annual turnover of the previous financial year (whichever is higher) or a fine of up to €20 million or four per cent of the company’s global annual turnover of the previous financial year (whichever is higher), and the level depends on the type of infringements. The potential fines are clearly substantial and aimed to ensure companies maintain this continuing compliance with GDPR.
Fines for breaches will be considered on a case-by-case basis. They will take into account criteria such as the intentional nature of the infringement, how many data subjects / people have been affected and whether there have been any previous infringements by the business.
Allocation of liability
Whilst we await the first enforcement actions and compensation claims, suppliers and customers are continuing to debate how (generally by way of a written contract) liability should be allocated between them if there is a breach.
For compensation claims from individuals, the GDPR states that the individual can bring that claim against any controller or processor who is involved in the processing - unless they can demonstrate that they were not in any way responsible or, if a processor, they had complied with all of their obligations. Both parties to a transaction are, therefore, often looking for protection if they need to pay out but it is the others’ fault.
Many organisations are also looking for protection if they are subject to a penalty notice. This one is much more difficult. The ICO will need to issue any penalty, taking into account the considerations set out in the GDPR, as well as the Data Protection Act 2018, which include considering the degree of responsibility.
To therefore try to recover a penalty from a counterparty which was issued to you on the basis that the ICO considers you to be responsible could involve arguing that the ICO had got this assessment wrong. So, it’s not as simple as allocating responsibility in a contract and being comfortable you can rely on that contract.
Indeed, we await clarification as to whether penalties / fines under the GDPR could be unrecoverable from your third party suppliers (even if contracted for) at law as being ‘against public policy’ - in other words, whether allowing an organisation to recover a penalty issued under the GDPR / DPA2018 is in the public interest, or should organisations face up to the fines that the regulator has meted out to them? This will be an important development to watch.
What about insurance?
The insurance market for these types of losses is not yet mature. It’s worth checking in detail that the coverage offered will be sufficient for the losses you fear you may suffer, but also look out for terminology such as ‘to the extent recoverable’, as your insurers may well exclude coverage for loss which they cannot recover against another party (for example, your supplier / sub-contractor), placing the risk of these public policy arguments being raised again in your corner.
Sensitive data, but not as we know it
One of the things your GDPR compliance plan will or should have touched upon is creating your record of processing activities, or ROPA, required by Article 30 of the GDPR. This may be the first time you’ve / your business has sat down and considered where and when your business is processing personal data. And then businesses have had to consider why, and which of the prescribed lawful bases for processing apply to these existing activities. Let’s take, for example, biometrics.
One change under the GDPR that may not have jumped out at you is that biometric data, which is used for the purposes of uniquely identifying an individual, explicitly qualifies as a ‘special category of data’, or ‘sensitive personal data’. This means that, as well as having one of the standard lawful bases for processing (such as legitimate interests), you also need an additional lawful basis, as set out in Article 9 of the GDPR, and, where required, authorised by Schedule 1 of the DPA2018.
This can pose a challenge for the use of biometric data for things like allowing security access to buildings. Article 9 of the GDPR is quite restrictive and protects sensitive data (in its view for good reason). We cannot change our biometric information. If it gets into the wrong hands, there’s no password reset.
Whilst some providers may argue that because their systems simply store a code generated from specific points on an individual’s fingerprint, iris or palm scan, they are not actually storing any biometric information. However, the definition is very clear - ‘personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a nature person, which allow or confirm the unique identification of that natural person’ - exactly what these scans do.
So, assuming that you are comfortable that your business’s processing of biometric data is justified on the basis of legitimate interests, and you’ve carried out your legitimate interests assessment to ensure that the rights of the individual are not infringed, how do you comply with Article 9?
Whilst this data is often used to create better records to assist with any legal claims, or to assist organisations in complying with their legal obligations such as food safety, by ensuring restricted access to certain areas, it is difficult to demonstrate that these are ‘necessary’ for these purposes, as alternative (and arguably less privacy intrusive) methods are available and widely used to achieve those same ends.
In many cases, organisations are left with the option of ‘explicit consent’. In the context of employees, it is generally accepted that consent is incredibly difficult to achieve, as it is a requirement that it must be freely given, and the imbalance of power between an employee and their employer infringes upon this freedom.
Not least, it’s an important aspect of consent that it must be capable of being withheld (and indeed withdrawn). If there’s no other way to access your workplace, no other mechanism to identify employees, then how is consent achieved? This needs considering carefully for an organisation’s individual circumstances.
Compliance is a journey
Whilst organisations and the regulator continue to adjust to the new regime, new guidance and practical challenges continue to arise. There’s more scrutiny being given to the status of controllers and processors, and market positions on contract clauses and due diligence slowly settling in. And UK businesses may also need to start considering the impact of Brexit on any transfers of data with the EU27 / other countries in the EU.
Data protection compliance is a journey, and must be continuously refreshed. Whatever you do, if you focus on the GDPR’s general principle of accountability, and that your organisation needs to take responsibility for how it uses data, that vigilance should keep you on the right track.
Please note that the information provided above is for general information purposes only and should not be relied upon as a detailed legal source.
