On 30 May 2019, the UK data protection regulator, the Information Commissioner’s Office (ICO) published a report, reflecting on its experiences over the year since the introduction of the General Data Protection Regulation (2016/679) (GDPR) and sharing its learnings.
In its report, the ICO describes a year of:
- Supporting: the public, data protection officers (DPOs), SMEs and other organisations in understanding the new regulatory requirements using various tools, including through the publication of guidance, blogs, toolkits, checklists, podcasts and FAQs on its website;
- Taking action: to enforce the GDPR, act on personal data breaches, respond to public concerns, and work with other regulators;
- Enabling innovation: through the development of its regulatory ‘sandbox’ (a new service designed to support organisations using personal data to develop products and services that are innovative and have demonstrable public benefit) and delivery of its Grants Programme (to promote good practice and support research and solutions focused on privacy and data protection issues); and
- Growing the ICO: both in terms of its people (in 2018/19, the ICO’s number of full-time equivalent staff grew from 505 to more than 700 and it is expected to increase to 825 in 2020/21) and its resources (through pushing each organisation required to pay the data protection fee to do so).
The ICO’s regulatory priorities
In taking stock of all that has been achieved over the course of the last year, the ICO emphasises that much is still left to do. In particular, it notes that it will continue to focus on areas it has identified as its regulatory priorities, including:
- cyber security;
- AI, big data and machine learning;
- web and cross-device tracking for marketing purposes;
- children’s privacy;
- use of surveillance and facial recognition technology;
- data broking;
- use of personal data in political campaigns; and
- freedom of information compliance,
and we expect to see more from the ICO both in terms of new and/or updated guidance and enforcement action in these areas over the course of the next year.
Elizabeth Denham, the UK’s Information Commissioner, also notes in her blog post accompanying the publication of the report, that: “The focus for the second year of the GDPR must be beyond baseline compliance – organisations need to shift their focus to accountability with a real evidenced understanding of the risks to individuals in the way they process data and how those risks should be mitigated.”
“The focus for the second year of the GDPR must be beyond baseline compliance – organisations need to shift their focus to accountability with a real evidenced understanding of the risks to individuals in the way they process data and how those risks should be mitigated.”
Next steps for organisations
So, looking to the year ahead, where should organisations focus their attention?
- DPOs: the Commissioner emphasises in her blog post that “well-supported and resourced DPOs are central to effective accountability”. Where required by the GDPR, organisations should ensure that they have appointed a DPO and, most importantly, that the DPO is embedded in the organisation and fully supported by senior management. It will not be sufficient to appoint a ‘token’ DPO; in its Regulatory Action Policy, the ICO notes that when deciding whether and how to respond to breaches of information rights obligations, it will consider whether relevant advice, guidance, recommendations or warnings from the DPO have been ignored or not acted upon.
- DPIAs: in its report, the ICO also emphasises the importance of being proactive in identifying and mitigating new or emerging risks from technological change. Organisations should seek to embed privacy by design and data protection impact assessments (DPIAs) by default for all new processes and technologies, in particular those which present the most serious risks to the rights or freedoms of individuals. Absent a properly conducted DPIA, organisations will struggle to demonstrate an evidenced understanding of those risks and how they should be mitigated. Importantly, in its Regulatory Action Policy, the ICO also notes that data breaches which involve “novel or invasive technology, or a high degree of intrusion into the privacy of individuals” without having done a full DPIA and taken appropriate mitigating action can expect to attract “regulatory attention at the upper end of the scale”.
- Transparency and lawfulness: whilst there has been relatively little enforcement action to-date (on which see more in our recent blog post), one trend which appears to be developing across regulators EU-wide is a focus on breaches of the core principles of Article 5 of the GDPR and, in particular, a failure to satisfy the transparency obligations in Articles 13 and 14 of the GDPR and/or to establish a valid legal basis for processing under Articles 6 and/or 9. These are consistent themes across some of the most publicised enforcement action, including the €50,000,000 fine imposed by the CNIL (the French supervisory authority) against Google in January, the €220,000 fine imposed by the UODO (the Polish supervisory authority) in March and most recently, the enforcement notice issued by the ICO against HMRC in May – and we expect this trend to continue. Organisations should ensure that their transparency notices fully and accurately document their processing activities and that they have valid legal bases for the same.
- Document decision-making: as noted above, organisations need to be able to evidence their understanding of the risksto individuals and the mitigation thereof. In addition to any records which an organisation may be required to maintain under Article 30 of the GDPR, organisations should therefore ensure that they also have processes in place to record decision-making with regards to GDPR compliance more broadly. This includes, for example, documenting the analysis carried out in determining the relevant legal basis for a processing activity. In particular where legitimate interests is relied upon, organisations should carry out and document a legitimate interests assessment. Organisations should also keep a record of decision-making in respect of breach notification – in particular where a decision not to notify is taken.
With enforcement action likely to ramp up over the course of the next year and beyond, it is clear that now is not the time to sit back. Organisations should keep a keen key eye on regulatory activity and use this to further refine their compliance approach.