25 May 2024 saw the six-year anniversary of the coming into force of the EU General Data Protection Regulation (“GDPR”). Billed as the strongest privacy and security law in the world, the regulation modernised data protection laws and has raised privacy standards throughout Europe and beyond.
Six years on from its introduction (and following the post-Brexit entry into UK law – as the “UK GDPR” alongside other domestic laws), data protection continues to be one of the most pressing and fast-evolving legal challenges facing businesses today.
Unsurprisingly, as the GDPR has aged, privacy disputes and notifications to regulators have increased. For instance, a review of the ICO’s decision notices in recent years indicates that reports to the Commissioner are rising – up 56% from 2021 to 2023.
The costs of privacy litigation, the effect of a data breach on corporate reputation, and even the labour incurred by increasing numbers of data subject access requests all have the potential to place significant strains on businesses. However, set against those pressures, the importance of compliance was underlined recently in Northern Ireland, in the wake of the well-publicised data breach by the PSNI, which resulted in a potential fine of £750,000 (subject to discretionary reduction from £5.6 million in consideration of the public funds involved).
Compliance Reviews
With the above in mind, it is crucial that businesses undertake regular reviews of their data privacy regimes to detect areas of, and guard against the risks posed by, non-compliance. Such reviews should include considering:
- Cookies – are cookies being placed before consent is obtained from website users? Does the banner comply with the latest guidance that “Accept All buttons should be accompanied by a “Reject All” option?
- Training – have all staff received onboarding and subsequent (annual) refresher training?
- Deletion – has obsolete personal data been purged in line with a data retention & deletion schedule (and does the business have one in place)?
- Testing – when was the last penetration and vulnerability assessment carried out?
- Disaster Recovery – have we had a ‘fire drill’ to test any business continuity / disaster recovery procedure (and again, is a properly considered policy in place)?
- Processors – do all contracts with processors contain the mandatory provisions required to be put in place by GDPR? Was due diligence carried out on the processors’ approach to protection of personal data?
Common Issues
To further guide the review and areas for potential focus, it is useful to check-in on some of the common issues being experienced by others, which continue to include:
- using the “CC” function in emails, rather than “BCC”, resulting in accidental identification of other recipients;
- overly intrusive and/ or uninformed recording through CCTV systems – particularly of employees and through dashcam systems; and
- failing to implement tiered access to the data which employees can access for their jobs.
Next Steps
Thinking back to 2018 and the heavy lifting that was done as part of the GDPR projects undertaken at the time, it is natural for businesses to hope that the hard work had been done. However, GDPR does not just require businesses to obtain compliance; rather, the requirement is to maintain compliance.
As such, it might be time to add “Check data protection compliance” back to the to-do list.
Paul Eastwood is a Director and Tim Carson is a Trainee Solicitor in Tughans’ Contracts & Technology team. If you wish to speak to Paul about data protection compliance for your business, please get in touch via email at paul.eastwood@tughans.com.
While great care has been taken in the preparation of the content of this article, it does not purport to be a comprehensive statement of the relevant law and full professional advice should be taken before any action is taken in reliance on any item covered.