As we have recently passed the first anniversary of GDPR coming into force, we have taken stock of the changes and look forward to what lies ahead.
In the first year:
- Businesses reported 14,000 personal data breaches to the ICO between 25 May 2018 and 1 May 2019, an increase of over 10,000 from the previous year.
- Individuals made over 41,000 complaints, nearly double the amount of the previous year with data subject access requests being the most frequently complained about topic.
- The ICO issued enforcement notices to Aggregate IQ Data Services Ltd, a company registered in Canada and HMRC requiring them to erase personal data.
- The ICO are yet to impose a fine under GDPR or the Data Protection Act 2018 but fines of £500,000 against Facebook (the maximum allowed under the 1998 Act) in July 2018 and £400,000 against Bounty in April 2019 suggest that businesses should be prepared for significant fines if they are found in breach.
The ICO has indicated that it will begin to turn its attention away from compliance towards enforcement in the near future.
To remain compliant you should:
- Make sure that staff are aware of their obligations to protect personal data and they receive refresher training to ensure they continue to understand. Remember the most commonly reported breach is a misaddressed email.
- Review data protection policies and procedures to make sure they remain effective and in line with any new guidance issued by the ICO.
- In particular, make sure you have strong data retention and deletion policies in place. It has become common to receive a data subject access request along with a tribunal claim and compliance can be particularly burdensome if unnecessary personal data has been kept.
For more information regarding your ongoing compliance please contact us.