The ICO’s Regulatory Action Policy was published setting out its approach to determining how to levy fines. This is a common theme right across the EU with supervisory authorities trying to establish some common basic principles and parameters. The BA fine was ratified and drastically reduced from the initial estimate as was the Marriott fine. Both organisations successfully lobbied for the fines to be reduced and succeeded. Whilst they are still large fines, they pale into relative insignificance considering what they could have been and what we were told would be mega-fines prior to the GDPR taking effect. Considering the damage and disruption caused by the Marriott breach, it’s a small price paid. As was the Ticketmaster fine which affected a very large number of people in a material way and continued for several weeks despite customers, banks and others telling them that they had vulnerabilities on their website.
The ICO published a report on the use of personal data in political parties. A large part of the report considered the role of data brokers and social media providers in providing information to augment what the data controllers knew about data subjects through analytics and modelling. Plaid Cymru used publicly available census data to identify Welsh speakers so that they could target their campaigning activities at those individuals or demographic areas. An enforcement notice was issued to Experian with a 2-year remediation window. The impact of this may not only be felt in the credit referencing industry but also in the many other uses of Experian-supplied data.
A new Subject Access Request Code of Practice was issued by the ICO – a useful document but seemingly at odds with some rulings of the courts particularly in respect of the duty to perform a search for information requested. This area is bound to be tested several times in the future to tease out exactly what a data controllers legal duty is in terms of proportionality: a concept not really fully recognised in the GDPR; recognised to some extent by the ICO, but recognised as a concept underpinning the law by the courts.
And finally, we come to international transfers. Schrems, Safe Harbor and Privacy Shield are old hat now given the speed that data protection law and practice is evolving, The European Data Protection Board recently issued a paper setting out supplementary measures that should be implemented where a controller is relying on standard contractual clauses to ensure that sufficient safeguards are in and remain in place. In addition to that, the European Commission issued new model standard contractual clauses (SCCs) for public consultation with a short consultation window that closes on 10th December. It looks like the existing three model clauses are on their way out and a new set are on their way in. Given that the UK seems unlikely to be granted adequacy by the European Commission, transfers from the EU to the UK from January 1st will be subject not only to the new SCCs but also to the supplementary measures. It seems safe to assume that UK controllers will also have to implement the same arrangements for data transfers they make to the US and other non-“approved” territories.
It’s been a full-time job keeping up with developments these last few months – but of course, the real work is in checking how they affect your organisation and changing businesses practices to meet this revised regime.
What you need to do is:
– Assess if you are affected by the AADCOP
– Revise your SARs procedure and training to meet the new guidance
– Check all your data sharing and disclosures to see how they may be affected by the change in international transfers
– Check your sources of data to determine what you obtain from data brokers and credit reference agencies
– Update your data protection compliance management record-keeping to fall in line with the accountability framework