Review of the past year
In its report, GDPR one year on, the Information Commission Officer (ICO) has acknowledged the public’s increasing awareness of GDPR, in particular their individual data rights.
The ICO also recognises that the pressure to get ready for GDPR has pushed organisations to make significant changes, creating pressure on DPOs of larger organisations.The ICO emphasised the importance of having senior engagement from board level for ensuring the success of a DPO’s exercise of their obligations and their data protection programmes.
The ICO further recognised the challenges faced by SMEs and sole traders, emphasising its commitment to a one-stop shop for SMEs to help support organisations without the capacity for dedicated in-house data protection compliance resources.
With over 50% of surveyed respondents admitting unexpected consequences as a result of GDPR, the ICO concluded that the application of GDPR in practice remains a complex matter, it will deliver more business-friendly guidance to provide sufficient support.
Statutory and voluntary codes of practice
In addition to providing further guidance in areas requiring updating, the ICO highlighted the statutory codes it will be developing under the Data Protection Act 2018 (“DPA 2018”), including:
- the age appropriate design code, which is aimed at providers of online services and applications whose services are likely to be used by children or involve processing personal data of children
- an updated data sharing code to help provide clearer guidance on data sharing and build trust and confidence in how organisations use personal data
- a direct marketing code to build on the existing direct marketing guidance and support organisations to balance the need for growing their business and to avoid intrusive marketing
- the data protection and journalism code, which is aimed at striking a balance between individuals’ rights and privacy and freedom of expression
- the code for the use of personal information in political campaigns, which will apply to all organisations processing personal data for the purpose of political campaigning. The ICO hope the code will help ensure such personal data is used in a transparent, understandable and lawful manner in political campaigns. Whilst the code is not mandated under the DPA 2018, the ICO proposes that this code should be given statutory footing under the DPA and have called the Government to legislate.
Taking Action
The ICO further reviewed the enforcement actions it has taken over the past year. The overall message is that the ICO will target and focus on certain types of data processing and breaches in a few key sectors. It will make good use of the wide range of enforcement tools available to it to shape behaviour changes and it is not “just about big fines”.
Areas of focus
The ICO will focus its efforts on data processing or breaches that involve:
- highly sensitive information or large amount or vulnerable individuals
- repeated or wilful misconduct or serious failures to protect personal data
- new or emerging risks arising from technological and societal change, and
- areas where the public have concerns, including social media companies, political parties, data brokers and the use of technologies by law enforcement agencies.
These areas of focus were largely shaped by complaints from the public, breach reports from organisations and other regulators.
In addition, the ICO’s wider regulatory priorities will focus on cyber security, AI and machine learning, device tracking for marketing purposes, children’s privacy, use of surveillance technology, data broking, use of personality in political campaigns and freedom of information compliance.
Enforcement tools
Whilst the ICO highlighted the a few serious personal data breaches and significant fines issued to Aggregate IQ and Facebook last year, the ICO was also clear that the its ultimate goal is for organisations to have the right culture and behaviours to carry out their business in compliance with GDPR.
The ICO is better equipped to ensure the enforcement of data protection law now that its auditing power is extended to both public and private bodies. In more urgent scenarios, the ICO can issue “no-notice” assessment notices to access companies’ data protection practices much faster.
Trends of data protection breaches
The ICO has received around 14,000 data breach reports over the past year, which quadrupled from records of the preceding year. Only around 17.5% of the closed data breach cases actually required action from the reporting organisation and less than 0.5% led to penalties or improvement plans from the ICO. The ICO welcomed organisations’ proactive attitude to data breach reporting, however it also highlighted that the figures show that effectively assessing and reporting data breaches remain challenging for organisations.
The ICO has also seen a significant numbers of complaints raised by the public over the past year. Subject access requests remain the most problematic topic, constituting around 38% of data protection complaints to the ICO. The ICO noted that a few sectors attracted a noticeable higher proportion of complaints, including the health sector, local governments and lenders.
Into the future
Despite the prospect of Brexit, the ICO will remain committed to maintain strong links internationally with regulatory authorities across different sectors. The ongoing data regulatory sandbox and various grants programme are further evidence that the ICO is keen to understand the potential effect of cutting-edge innovation on the use of personal data.
In summary, the first year of GDPR saw increasing awareness of data protection in the general public as well as organisations. The ICO has also developed a more granular approach when it comes to exercising its enforcement power under GDPR.
Businesses should however stay alert to the statutory codes to be issued in the near future. Those who process personal data in areas that fall under the regulatory priorities or areas receiving high levels of complaints should carefully review existing data protection policies and practices.
If you would like assistance with your data protection matters, please contact our data protection team.