The GDPR @One

This weekend the GDPR turned one. It is an important landmark and an ideal opportunity to see what has been achieved; what can be expected in the short and mid term from regulators and the EDPB; as well as reflect upon how companies need to evolve and transition with this developing area of law.

The General Data Protection Regulation (GDPR) marked its first birthday on Saturday, 25 May 2019.  An ideal opportunity was presented to reflect on what it has achieved in its first twelve months besides consider our hopes and expectations for its future years. Whilst this time last year inboxes were flooded with updated privacy notices, this week it has been peppered with articles and blogs, including this one, about the GDPR's first year.

The European Data Protection Board (EDPB) has provided us with a variety of stats from the Supervisory Authorities (SAs), citing the number of queries and complaints received, 144,000 as well as the amount of data breach notifications, 89,000, of which the UK's Information Commission's Office (ICO) has received more than 14,000. No sophisticated analysis of numbers is required either to understand that there has been a huge increase in the number of complaints by data subjects to SAs compared to those received pre GDPR. Is this exponential rise solely attributable to an increased awareness of data protection? When data protection becomes headline news, whether on a newspaper front page or lead story on a news app, you know it is no longer niche but is now ubiquitous.

The level of data subject complaints the regulators are dealing with are only a proportion of the data subject rights requests that companies are receiving and managing as they attend to their general business operations. Companies, including those whose core business model is not the collection and processing of data, have worked on developing effective solutions to manage the volume of requests. Many are offering data subjects a practical way in which to self service their data rectification needs. Equally, using online tools, subjects can ask that their data be deleted or request a copy of their data.

Yet, even with such facilities, together with a comprehensive understanding of where an individual's data is held, largely due to extensive data mapping exercises performed pre GDPR, businesses have still needed to invest a vast amount of time and money to deal with certain requests. Certain exemptions will apply and documents, for example, may need to be redacted due to containing third party data or withheld on the grounds of legal privilege. Some requests received have been vexatious and whilst a request is "purpose blind", at times there is a clear motivation behind them, especially where there is a dispute between the controller and the subject, including an employer and employee. Ultimately, more granular guidance and case law on this area will provide clearer parameters to organisations with respect to how much resistance they can give to the more aggressive request.

When the various iterations of the GDPR were passing through the EU legislative process it was the level of fines that caught everyone's attention and grabbed the headlines. So familiar today, it is almost unnecessary to mention the figures … (up to €10m or 2% of annual turnover or up to €20m or 4% of annual turnover, depending on the infringement). One year in though, beyond the CNIL's €50m fine against Google, inevitably appealed, there have been no hefty fines. Yes, the regulators have been criticised about this but invariably, these things take time. The investigations in accordance with the GDPR are without precedent, likely to be large-scale, complex, multi jurisdictional that require close examination of the legislation, not to mention allow time to liaise with concerned SAs, who are no doubt grateful to the EU IMI (Internal Market Information System) case register to assist with some of the logistics!

Only a little more patience is potentially required though. Both Ireland's Data Protection Commission and the ICO have indicated that fines are imminent. No doubt, we will soon be seeing articles with titles providing an analogy of regulatory fines to (London) buses. You wait ages for one to come along and then [insert multi number] come together!

Of the data protection fines issued under the GDPR, one of particular interest was the Danish SA's fine of taxi company Taxa 4x35, with respect to Taxa's approach to storage limitation. Whilst Taxa did have a data retention policy, it had failed to follow it. When the Danish SA conducted an audit it found that data relating to individuals' taxi rides was kept beyond the lawful two year retention period. Upon issuing its fine, the Danish SA commented that organisations "cannot set a deletion deadline which is three years longer than necessary simply because the company's systems make it difficult to comply with the rules". Without doubt, preparing a data retention schedule demands a lot of time, especially if you have a multijurisdictional business with a variety of data sets. Do not allow all that hard word and effort to be undone by not implementing a system to ensure the periodic deletion of your data at the relevant time.

In any event, the enforcement of the GDPR is not solely about fines. The recent enforcement notice issued by the ICO against HMRC (Her Majesty's Revenue & Customs), the UK's tax, payments and customs authority, provides an excellent illustration of this. The ICO, responding to a complaint from Big Brother Watch, upon investigating HMRC's voice authentication for user verification on some of HMRC's helplines, found that "sufficient information about how their biometric data would be processed" was not given to users and that HMRC had "failed to give them the chance to give or withhold consent". A preliminary enforcement notice was issued that required HMRC to delete all biometric data for which it did not have explicit consent. Following this, on 9 May 2019 the ICO issued a final enforcement notice for HMRC to complete the deletion of the relevant records, which if not complied with may result in a penalty notice, i.e., a monetary fine. For those not familiar with the case, HMRC needs to delete in the region of 5.5 million records.

For a piece of legislation that may, like its predecessor, last for 20 years, it is early days. Beyond raising awareness of data protection with the European public, GDPR's influence across the world is evident. From the California Consumer Privacy Act, which comes into effect on 1 January 2020 to Brazil's LGPD (Lei Geral de Proteção de Dados Pessoais) that is expected to become applicable in August next year; there is draft legislation in progress from India to Argentina. The EDPB has an ambitious work programme for the forthcoming year and as mentioned above there is intense focus on SAs who regulate the largest companies, especially the tech ones, to impose fines. It is incumbent upon all stakeholders to respect the regulatory framework yet consider how to best use data to benefit customers and society. Data protection and innovation, despite much discussion to the contrary, are not mutually exclusive concepts.

The culture of data protection is evolving too. Once upon a time if you were compliant with local applicable data protection laws and adhered to good practice you were somewhat considered "cutting edge". Today, to rely upon data protection as a competitive differentiator you need to focus on ethics within data protection and meet the challenge to provide data protection to every user. Data protection is not exclusively for those who can afford not to be the product of a particular service. Undoubtedly, there is a balance to be struck between data collection, the sharing of data, the purposes for which it is processed and the user experience. The 40^th International Conference of Data Protection and Privacy Commissioners completely focused on #DebatingEthics. Remember though, the collection and processing of data protection is not prohibited, there is merely a regulatory framework in which to operate.

Without question, there was a flurry of activity to become GDPR ready by 25 May 2018. Yet this was never an end date, merely a starting point. As the period pre GDPR was an opportunity for organisations to undertake a house keeping exercise into the data they held; training offered; related policies; management of data incidents and so forth, the first anniversary presents an ideal moment to assess just how well you are complying in practice with the GDPR. How easily would you be able to demonstrate this if the regulator came knocking or your corporate customers asked you to? Accountability, if it has not yet been your focus, needs to become so. This is where data protection is now at under the GDPR. As a starter for 10 familiarise yourself with the ICO's page on accountability and governance, an excellent resource that shows this regulator's own view on accountability and what is required to be able to evidence your compliance with the GDPR. Be warned, accountability requires collaboration from all colleagues within the business: it is not a one person job. #Accountability is an ongoing task that requires commitment across the company in all departments and from all levels of employee, from the bottom up to the board.

However this first year of the GDPR has been for you, take the time to celebrate all you have achieved so far and this spring, consider how you can demonstrate your compliance and accountability. Besides any challenges ahead, remember this is an immensely exciting area to be working in.

Happy First Birthday GDPR! Wishing you a productive and fulfilling year ahead.