The General Data Protection Regulation came into force on the 25th May 2018 amongst much fanfare and the UK’s new Data Protection Act 2018 arrived on the same date with a little squeak.
The purpose of the GDPR from Brussels was to update and harmonise data protection and privacy laws across all of Europe and to replace a much older EU Directive made in 1995.
In a similar vein our national legislation was also updated and made consistent with the GDPR and provided for additional law in areas the GDPR does not cover.
Essentially the legislation recognises that through computer power we can now transfer, analyse and use massive amounts of personal and other data so that the data itself has become an extremely valuable tradable commodity.
This can have fantastic upsides e.g. medical research but in the wrong hands massive downsides e.g. fraud or corrupting democracy and elections.
Having got over the initial furore, have we noticed much of change?
If we are honest many of us may not have. We may have noticed an initial flurry of service providers or retailers, who utilise electronic communication, seeking our informed consent to stay on their databases (and availing themselves of the marketing opportunities in doing so) but other than that can we really say much has happened?
The truth is that we have had a revolutionary change in the legislation (by bringing it up to date and making it more powerful) within an evolutionary change of how data is managed, used and transferred. So nothing much was going to happen over night other than the legislation.
Whilst the regulatory and legal environment has changed massively a change in behaviour and culture will take much longer. That necessary change is largely driven by the enforcement regime and the potential for massive fines and adverse publicity. We would be wise to consider how we use, protect, manipulate or transfer data.
A quick analysis of some interventions and fines imposed by our own regulator, the Information Commissioners Office (ICO) may prove salutary:
Gloucestershire Police – 11 June 2018 – £80,000
Entering recipients’ email addresses into the “To” field in a bulk email, thereby identifying all the other recipients in relation to a child abuse investigation.
Noble Design & Build of Telford – 3 July 2018 – £2,000
Failing to register with the ICO.
Equifax Limited – 20 September 2018 – £500,000 (maximum fine under the appropriate law)
Failing to protect the personal information of up to 15 million UK citizens during a cyber attack in 2017. The UK arm of the company failed to take appropriate steps to ensure the American parent which was processing the data on its behalf was protecting the information
BUPA Insurance Services Limited – 28 September 2018 – Fined £175,000.
Bupa employee was able to extract personal information of 547,000 Bupa global customers and offer it for sale on the dark web. The employee sent bulk data reports to his personal email account.
Heathrow Airport Limited – 8 October 2018 – £120,000
A data stick was found by a member of the public containing personal and sensitive personal data of members of the public and between 12 and 50 Heathrow Aviation Security personnel. Seemingly the data stick had been dropped by a commuting member of staff.
Facebook Ireland Limited – 24 October 2018 – £500,000
Sharing Data for Political Purposes (with Cambridge Analytica amongst others)– the maximum penalty under the then applicable legislation.
Secure Home Systems Limited – 31 October 2018
For making marketing calls to 84,347 numbers registered with the TPS – fined £80,000. (Many cold callers have now been fined – this is just an example).
Uber – 26 November 2018 -£385,000
Fined for failing to protect customer’s personal information during a cyber attack.
Darren Harrison, Former Head Teacher – November 2018 – £700 plus costs of £364.08
Obtained pupil information and performance management data for staff from two of his former Schools. Stated to be for “professional purposes”.
Hannah Pepper, former Doctors Surgery employee – 28 November 2018 – £350 and costs of £643.75
Accessed electronic clinical records of 228 patients and 3 staff members outside of her role of Administration Assistant.
ICO – 28 November 2018
Begins the first of a series of actions across the business, manufacturing and retail and finance sectors, against those businesses that have not registered with the ICO and/or paid the fee. The fees are tiered according to size.
This gives a flavour of the very wide range of actions being taken in recent months. We need to be managing the risks posed by theft (hacking), dodgy business methods, inadequate systems and unscrupulous staff.
If any of this causes you any concern please contact our employment team