Just over 18 months have passed since the implementation of the General Data Protection Regulation (GDPR) and the supplementing UK Data Protection Act 2018 (DPA 2018) in May 2018.
Many will recall that one of the most significant changes brought by the new regime is the higher maximum fine: the regulator is now able to issue fines up to €20 million (c. £17 million as at the day of publication) or 4% of global turnover, whichever is greater. This is a significant increase as under the previous regulatory regime, the maximum fine was £500,000.
First UK fine under the new regulations
In the first use of these increased fining powers, the Information Commissioner’s Office (ICO) has fined a London pharmacy £275,000 for failing to comply with data protection rules.
The data breach relates to unsecure storage of documents containing personal data including sensitive information, such as NHS numbers, medical information and prescriptions. The pharmacy, Doorstep Dispensaree Ltd, left some 500,000 documents in unlocked crates, bags and cardboard boxes in a locked courtyard at the back of its premises. The documents were not secure and they were not marked as confidential waste. Some of the documents were saturated which indicated that they had been stored in this way for some time and had not been protected against the elements.
Businesses are required to implement appropriate technical and organisational measures to ensure the security of the personal data it processes. This requires protection against unauthorised or unlawful processing by third parties (such as hacking incidents and theft of data), as well as accidental loss, destruction or damage of the information.
Clearly, the pharmacy had failed to comply with these obligations. The ICO found that it had also failed to comply with a number of other obligations, such as having appropriate data protection and retention policies and providing clear procedures and practical advice to employees. It had also failed to provide individuals with information required by the GDPR.
The penalty notice (which can be found here) will be useful reading for all organisations as it highlights what bad practice looks like and outlines the factors the ICO will take into account when carrying out its investigations and deciding on the level of penalty. It is also a valuable reminder that the ICO will take data breaches seriously and it has consistently shown willingness to impose bigger fines since the GDPR was introduced.
As the first enforcement decisions have been published, now would be a good time for businesses to review their policies and procedures and to remind themselves of the requirements of the GDPR and DPA 2018, summarised below.
Summary of the new data protection rules
Does the GDPR apply to your business?
Most, if not all, UK businesses are covered by the GDPR, regardless of whether they are trading as limited companies, partnerships or sole traders. If you collect personal data about individuals for any reason other than your own personal, family or household purposes then you will need to comply.
What is personal data?
‘Personal data’ is defined very broadly and covers any information relating to an individual which can be used to identify that person, either on its own or combined with other information.
It is important to understand that the information does not have to be ‘private’ information in order to be ‘personal data’ under the GDPR. Even information which is public knowledge or relates to someone’s professional life can be personal data. For example, if you collate call lists from information that is publicly available on LinkedIn and company websites you may be processing personal data. An individual’s work email or direct dial is likely to be personal data while a generic business email (eg firstname.lastname@example.org) or a main switchboard telephone number is not. Personal data can also be electronic information such as a username, IP address or cookie identifiers.
Anonymous information is not covered unless you can identify an individual from the details. For example, if you hold an individual’s home address, age and gender, or job title, name of the company the person works for and direct dial, it is likely that they can be identified from the combined details even if you omit their name.
Paper records are only included if you plan to put them on a computer (or other digital device) or file them in an organised way (eg personnel records held in physical files).
There will be circumstances where it remains uncertain whether particular data is personal data but, as a general rule, the definition should be construed as widely as possible. The ICO takes the view that if it is unclear whether information is personal data then, as a matter of good practice, you should still treat the information collected as though it is personal data. You can find more guidance on what the ICO constitutes personal data in their Guide to the GDPR.
What are ‘special categories of personal data’?
The GDPR also singles out certain categories of personal data as likely to be more sensitive, and sets out additional protection for these ‘special categories of personal data’. This includes:
- personal data revealing racial or ethnic origin;
- personal data revealing political opinions;
- personal data revealing religious or philosophical beliefs;
- personal data revealing trade union membership;
- genetic data;
- biometric data (where used for identification purposes);
- data concerning health; and
- data concerning a person’s sex life or sexual orientation.
There will be a broad range of businesses that are likely to be covered by the rules relating to these special categories of data, ranging from care homes and pharmacies to personal trainers and gyms, and from travel agents and retreat organisers to matchmakers and dating service providers.
Employers are also likely to be covered by the rules relating to these special categories of data, which broadens the reach of the special category data even further.
The presumption is that the special categories of data must be treated with greater care because collecting and using it is more likely to interfere with the individual’s fundamental rights and freedoms, or open someone up to discrimination.
What is ‘processing’?
Almost anything you do with data counts as processing. This includes collecting, recording, storing, using, analysing, combining, disclosing or deleting it.
What are your obligations under the GDPR?
The GDPR establishes basic principles which must be adhered to by businesses operating in EU member states or engaging with customers based there. The basic principles are:
- Lawfulness, fairness and transparency – You must have valid grounds for collecting and using personal data and must use it fairly. You must also be transparent about your processing activities. You should have a data protection policy and privacy notice so you can provide clear information about your processing activities and privacy safeguards to customers, suppliers and employees whose data you collect.
- Purpose limitation – You must be clear about why you’re collecting the data and tell the individuals whose information you collect about those purposes. If you plan to use the information for additional purposes that are not in line with the original purposes that you collected data for, you must obtain specific consent from the individuals before you use their information for a new purpose.
- Data minimisation – You should only collect data which is adequate to properly fulfil your stated purpose, relevant to the purpose and limited to what is necessary for the stated purpose. You should not hold more information than you need for the purposes you collected the information for.
- Accuracy – You should take all reasonable steps to ensure the personal data you hold is not incorrect or misleading. If you discover any errors, you must take reasonable steps to correct or erase it as soon as possible.
- Storage limitation – You should only keep data for as long as you need it for your stated purposes. You need to think about – and be able to justify – how long you keep personal data. This will depend on your purposes for holding the data. You should carry out periodical reviews of the data you hold and either erase or anonymise it when you do not need it for the purposes you collected it for. It is good practice to have a data retention policy in place setting out information about retention periods. You must also tell individuals of their right to request deletion of their information at any time.
- Integrity and confidentiality – You must ensure that you have appropriate security measures in place to prevent unauthorised or unlawful processing by third parties (such as hacking incidents and theft of data) as well as accidental loss, destruction or damage.
- Accountability – The GDPR requires you to take responsibility for the data you hold, what you do with it and what steps you take to ensure you comply with the other principles.
What if there is a data breach?
A data breach can be any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data. It does not matter if a breach is accidental: the GDPR covers breaches that are the result of both accidental and deliberate causes.
Personal data breaches can include situations where personal data is accessed by an unauthorised third party (eg through a hacking incident), where you send personal data to an incorrect recipient, where you lose computing devices containing personal data and where the personal data is lost or becomes unavailable temporarily or permanently (eg where it has been encrypted by ransomware).
If there is a data breach, you have a duty to report the breach to the ICO in certain circumstances. This should be done within 72 hours of when you become aware of the breach. You may also need to notify the individuals affected by the breach if there is a high risk of there being an adverse effect to the rights and freedoms of those individuals. If that is the case, you must notify the individuals without undue delay. In any event, you must keep a record of any personal data breaches, regardless of whether you are required to notify the breach.
It is important to have robust breach detection, investigation and internal reporting procedures in place. This will facilitate decision-making about whether or not you need to notify the relevant supervisory authority and the affected individuals.
Consequences of non-compliance
As mentioned above, the penalties for failing to comply with these obligations can be very serious. For less egregious breaches, you can be fined up to the greater of:
- €10 million (c. £8.5 million); or
- 2% of the firm’s global turnover.
More serious offences can incur fines up to the greater of:
- €20 million (c. £17 million); or
- 4% of the firm’s global turnover.
A fine under the new regime can have a serious impact on any business and SMEs may be particularly hard hit. It may be reassuring to bear in mind that these fines are worst-case scenarios and the ICO will consider mitigating factors such as the severity of the breach and a company’s efforts to comply with the GDPR. Financial penalties are not the only concern however, non-compliance comes with a risk of severe reputational damage and businesses who do not take steps to protect personal data may quickly lose the trust of their customers.
Data protection should be a key consideration for all businesses and it is important that policies and procedures are kept under continuous review and are updated regularly. For further advice and assistance with data protection matters, please do not hesitate to contact Commercial Solicitor, Anna Sivula, at email@example.com or fill out a contact form and we will get in touch as soon as we can.