The new data protection laws are going nowhere and 2019 is likely to be an action year in which the new data rights, complaints and enforcement options will be tested. We have seen this before in France when CNIL (the French National Data Protection Commission) has imposed a record of EUR 50 million on Google, related to Google's use of advertising personalization.
CNIL found that Google was not sufficiently clear and transparent with its privacy information and had not obtained the required permissions. Because CNIL saw Google's economic model as based on personalization of ads, they were also held to an increased level of responsibility. Therefore, the scale of Google's fine reflected this as did the scale of their activities and the fact that infringements were ongoing and ongoing (rather than one-off errors).
The Information Commissioner's Office (ICO), which is responsible for enforcing data protection requirements in the United Kingdom, has processed a backlog of complaints. Although we expect enforcement to increase with "examples", the general thinking of the ICO remains one of support and guidance. It is not the intention to drive you out of business and you can protect yourself by spending a little time on the problem.
In particular, we expect that & # 39; Subject Access Requests & # 39; will increase as individuals use it to access their data and this is often accompanied by complaints and legal claims (common triggers for this are labor disputes and consumers receiving unsolicited communications). We also anticipate the first individual and class action claims directly against data controllers (ie companies), where call centers and bulk claims are looking for a different revenue stream to replace the PPI bubble.
Complying with GDPR
With this landscape in mind, it is important to embed data protection. You can be proportionate to the nature and size of your company, but we advise you to at least consider the following as part of this process:
- Pay the registration fee to the ICO (unless you are exempt).
- Make sure you have the right privacy information in place and available – you are at the forefront of receiving a subject access request if you can not direct a person to your policies.
- Take the time to understand the data that you collect and why and clearly state on your legal basis for processing.
- Check your marketing strategy. Although consent to electronic marketing is usually required, it is possible to place existing customers on the market without explicit permission, while you also have a legitimate interest in contacting other companies. However, make sure that opt-out options are offered and that action is taken.
- Train your staff (including your SAR response procedures) and support this with a clear internal data security and retention policy, etc. The ICO always asks for this when investigating a complaint!
- Consider your current insurance policy. In particular: concerns the actions of a malicious employee; and is a cyber insurance suitable?
- Do everything you can to prevent a data breach, including IT security, destruction procedures and clear policies for employees to follow.
- Check your standard terms and conditions and any customer conditions to ensure that they accurately match your actual data exchange or processing relationship (or lack thereof), while ensuring that liability is appropriately distributed or excluded.
- Remember that you have legal rights and requirements to process personal data, so do not panic. Be confident why you are processing and responding accordingly.
- Taking the time to consider your position will prevent unwanted surprises in 2019.
Graham Hansen, Commercial Associate and Data Protection Expert at HRC law
- We also marked the best VPN in this roundup