Last week the UK Data Protection regulator the ICO issued their Annual Report. Clearly this is a big year for the ICO and possibly a good indication of what we can expect after May 2018 when new data protection laws come in.
The report shows an increasing awareness of data protection and a willingness of people to exercise their rights. Complaints were up 12%.
The ICO issued 16 monetary penalty notices for breaches of the Data Protection Act 1998. The largest fine was £400,00 imposed on TalkTalk. You can read about that here http://www.corderycompliance.com/talktalk-fined-a-second-time-for-data-breaches/. Those 16 fines totalled £1.6 million. In addition, there were 21 criminal convictions including 6 for failure to register with the ICO.
Fines were not the only game in town, however. Again, as a hint of what is possible to come next year, the ICO conducted 35 audits, 22 information risk reviews, 23 follow up audits and 58 advisory visits. As we explained in our GDPR FAQs (at www.bit.ly/gdprfaq) the new General Data Protection Regulation (GDPR) significantly extends the powers of regulators to conduct data protection audits and so we can expect to see this volume increase.
Right to be forgotten
We have written extensively on the right to be forgotten, most recently when we looked at a new ECJ case on the right to be forgotten in March – http://www.corderycompliance.com/client-alert-european-court-limits-right-to-be-forgotten/. The ICO was asked to intervene in 300 right to be forgotten cases last year and it got involved in around 100 asking the information provider to remove the information. Again, the right to be forgotten is considerably extended in GDPR where it is also called the right to erasure. There is also more on this in our FAQs here www.bit.ly/gdprfaq and detailed guidance on how to deal with right to be forgotten requests in GDPR Navigator here www.bit.ly/gdprnav.
People often forget that there is parallel legislation under PECR (Privacy and Electronic Communication Regulations) which has also featured in significant enforcement action last year. PECR is itself set to be replaced. There is more information on that replacement process here http://www.corderycompliance.com/proposed-eu-e-privacy-regulation/. Twenty-three penalties were issued for breach of PECR with fines of just under £2 million.
Subject access rights
The subject access request (SAR) regime is set to be extended under GDPR. SARs will become free from May 2018 when GDPR comes in and the time to deal with a SAR is reduced to 28 days (albeit with the possibility of extension). There is more detail on the new SAR regime in our GDPR FAQs here www.bit.ly/gdprfaq and detailed guidance on SARs and how to handle them in GDPR Navigator here www.bit.ly/gdprnav. GDPR Navigator also contains a detailed review of the UK’s new Subject Access Code of Practice. The ICO Annual Report continues to highlight the issues involved in dealing with SARs under the current regime. 42% of ICO complaints are about the SAR regime – the same percentage as last year.
What is to be learned?
There are a number of lessons to be learned from this year’s Annual Report which we discuss in more detail in GDPR Navigator. Amongst them are:
- the fact that the ICO is an active regulator. There are some who believe that GDPR will not be enforced. We have always thought that is either ignorance or wishful thinking as we explain in our “Fake News” film and blog here: www.BIT.LY/GDPRfake.
- fines are not the only weapon in a regulator’s armoury.
- the right to be forgotten is likely to be well used when it is extended under GDPR
- the rising level of SARs is here to stay
It is highly unlikely that the level of activity will dip when GDPR and the replacement for PECR come in. If anything the Annual Report just highlights that businesses need to do all they can to get ready in time.
Cordery has extensive resources to help businesses prepare for GDPR and deal with their existing data protection compliance. Our GDPR Navigator subscription service includes films, alerts, monthly update calls, precedents and procedures for one fixed annual fee. You can find out more details at: www.BIT.LY/GDPRNAV.
For more information please contact Jonathan Armstrong or André Bywater who are lawyers with Cordery in London where their focus is on compliance issues.
|Jonathan Armstrong, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH
|André Bywater, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH
|Office: +44 (0)207 075 1784
|Office: +44 (0)207 075 1785