The GDPR-ready practice: One year on

smartphone with icon graphic cyber security network of connected devices and personal data information
istock_marchmeena29_aw
Share this content

It’s been a year since GDPR hit the headlines, accompanied by a flood of emails seeking consent, and the scramble for policies and compliance is a memory for practices that adopted the rules. Since the UK Data Protection Act 2018 and GDPR came into force in the UK in May 2018, what did we learn, where are we now and what are our challenges?

Employment law expert Annabel Kaye runs us through a number of recent breaches and learning points and outlines what’s coming next over the data privacy horizon.

Marketing and GDPR

Last year there were a lot of ‘experts’ saying consent was not necessary for marketing emails, texts, phone calls. They totally ignored the effect of the Privacy and Electronic Communications Regulations (PECR) and did not check their lists against the Telephone Preference Service (TPS) or equivalent for texts.

Grove Pensions Solutions Ltd relied on such advice and was fined £40,000 for unsolicited emails. While they may have a case against their advisor, incorrect advice is not a defence to an ICO fine.

In a similar vein, Tax Returns Ltd was punished for unsolicited text marketing campaigns. The company sent 14.8m unsolicited texts and was fined £200,000. Alistair Green Legal Service made 213 nuisance calls and was fined £80,000. Even funeral planners got in on the act, as Avalon Direct Ltd made 52,000 calls and were fined accordingly.

If you are relying on ‘legitimate interest’ for your direct marketing, it is time to put that right. Get active, express consent (not relying on pre-ticked boxes) except where you are marketing-related services to an existing client.

People are a challenge

Individuals are still a big source of data privacy leaks.

Leaking candidate details to his partner by forwarding them to a personal email account got Kevin Bunsell fined. Faye Caughey was overcome by curiosity and accessed records she did not need for work. Shamim Sadiq was also fined for sending personal data to a personal email account.

Sending client and colleague data to her personal email account also got this administrator fined.

These problems can be easy to prevent if you restrict access to records to those who need it for their work. Depending on your system, you can also potentially ask it to flag up (and seek extra authorisation for) personal data being emailed to personal email accounts.

If you combine active monitoring with training, you will find your information is more secure than if you simply rely on one-off training and a policy document.

Data breaches increasing

Unsurprisingly, self-reported data breaches increased. Some 4,056 were reported in the last quarter of 2018/19. The professions have not been without their share of problems. In the legal profession, failure to properly redact material has been a problem, giving rise to 200 breaches, or just under 5% of the total.

In the finance sector, disclosure of documents is the biggest issue (293) with data security (145) a long way behind.

Are the professions less secure data handlers? This is highly debatable. The more regulated industries are likely to be more used to self-reporting, so it may be that the professions are simply more likely to report a breach.

Online portals

There has been an increase in the use of data sharing portals for data that needs encryption. There are many on the market but for the end customer, the onboarding process can be difficult. Anyone who is not tech savvy can struggle with working out what to do.

There is a need to properly support clients or colleagues through the process of adopting this technology. Some of the onboarding has been as sparse as “use the supplier’s help facility”. This is hardly a great way to encourage secure document sharing for clients who are new to it all.

Many clients still work with paper and want to transmit paper, rather than e-documents. Many practices are considering the costs of remaining on a paper-only system for clients who cannot or will not move to electronic documents, compared to the cost of onboarding and training those who are left in the land of paper.

There will be a niche for local practices that turn up to your office or home with a file (and where you can do the same at theirs), but as the digitisation of information from tax submissions to legal documents increases, this is likely to be an economic cul-de-sac for many firms.

Securing equipment

Using the appropriate technology to secure data is increasingly going to include the basics such as encryption, VPNs and firewalls.

When firms allow data to be shared on devices it is very easy to lose, and many practices have not woken up to the benefits of simple encryption.

Whilst many practices have had their own equipment secured, informal ‘bring your own device’ policies and working at home policies often drive a coach and horses through security without anyone particularly noticing.

Policies are for life not just for deadlines

It is important to review your policies to make sure they still reflect the way you work today, the information you need (and why), the systems you put it into, and the people you share it with.

Organisations that were fully ‘up to speed’ on GDPR in May 2018 could potentially drift away once the deadline is passed. New software, new equipment, new staff or new working practices can quickly make security processes out of date.

Some practices got halfway to compliance and were then overwhelmed with other deadlines. We all know the terror of that unfinished project lurking in the cupboard somewhere.

Tendering for large contracts and panel-related work

We are already seeing 2019 tenders requiring GDPR compliance and asking lengthy questions on data security, policies, risk monitoring and more. Whatever the ICO is doing by way of enforcement, the big corporates have now built GDPR into their tender system. It is unlikely any firm will get shortlisted if they cannot demonstrate a reasonable understanding and level of compliance.

In due course, this will trickle down as due diligence extends down the contracting/supply chain.

Consumers too are becoming more aware of data privacy issues. Whilst some simply do not seem to give it a moment’s thought, others are already building this into their choices about who they share their information with and who they do business with.

Regulatory change is not over

The EU intends to update its e-privacy laws in July 2019. This is likely to affect UK standards, whether we Brexit or not, since we are committed to GDPR for the foreseeable future and staying aligned with the EU data privacy regime.

Once we Brexit, the UK will apply to the EU to have our data standards recognised as adequate. Once that hurdle is negotiated, we will then be on the list of countries in which data on EU/EEA citizens can be processed without additional contractual measures. This process will take some time. During the gap, those practices needing to access data on EU/EEA citizens will need to rely upon the appropriate cross-border contractual wording to upgrade their agreements with clients in order to validate working on data in client files.

If we Brexit, the EU-U.S. Privacy Shield Framework that underpins our ability to use many US-based servers will need updating in the USA to include the UK in its wording. It is not clear how long that might take to come into effect. In any event, the EU continues to show concerns about the adequacy of the U.S. Privacy Shield arrangements, an essentially voluntary code.

While it is hard to look into the future and predict what platforms and security measures professional practices will be using in the future, or even which exact regulatory framework will ultimately govern us, it is clear that there are real issues with data privacy and data sharing in the world at the moment. We cannot view ourselves as providing a professional service without actively securing data.

About Annabel Kaye

Annabel Kaye

Annabel co-founded Irenicon in 1980 and during the last 30+ years, managed to juggle being a mother to her two children with advising clients on everything to do with the tough side of HR. From flexible working and parental leave to discrimination and TUPE - she loves the tricky ones and when people tell her it can't be done, she is passionate about showing them otherwise.

After discovering a fascination of freelancing, virtual teams and the changing way in which people work, Annabel founded KoffeeKlatch in 1989 specifically to address the new way we work today.

There is a big gap between the law, people's expectations and what can actually work. Despite the fact that she reads a lot of legal jargon, Annabel likes to bring and flexible and practical approach to solving problems.

An adviser, coach, mentor, consultant, trainer, litigator and professional speaker; both in-person and virtual events, Annabel loves helping you get the best out of the people you pay.

Replies

Please login or register to join the discussion.

01st May 2019 11:53

"If you are relying on ‘legitimate interest’ for your direct marketing, it is time to put that right. Get active, express consent (not relying on pre-ticked boxes) except where you are marketing-related services to an existing client."

If companies are using LI as their basis of processing and have performed the relevant Legitimate Interests Assessment then I don't think throwing the baby out with the bathwater and switching to consent is the most appropriate course of action at all. It's a rather bold statement to make to say *everyone* needs to move over as surely everyone's circumstances are not the same?

Thanks (0)
avatar
14th May 2019 15:01

Neil makes a fair point and it is an issue I am working on currently. However the requirements of PECR for data subject consent to some forms of electronic marketing and the GDPR Article 21 obligation to inform the data subject of their absolute right to withdraw consent mean that the effectiveness of Legitimate interest as a lawful basis is conditional not only on you being sure that you have applied the balancing test appropriately (and realise that you are taking responsibility for protecting the data subject !) but also on your being able to manage withdrawal of consent (which trumps LI) in a dynamic fashion, having met your obligation to inform the data subject of their rights.
https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-t...

For a small population of contactees, you might be able to do that manually, but I think Annabel is making the point that for volume marketing an automated method of managing consent dynamically would be required and that in that context LI is no longer an appropriate basis.

Thanks (0)
to chasmeehan
15th May 2019 14:33

I would say that you're unnecessarily restricting the people that you can send marketing material to as a result.

Changing your legal basis and requesting consent from people who have previously been sent marketing material, but not provided explicit prior consent means you are admitting that you have not been complying with PECR anyway, regardless of any GDPR concerns. That is how Honda got caught out and fined https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2017/03/...

"Both companies sent emails asking for consent to future marketing. In doing so they broke the law. Sending emails to determine whether people want to receive marketing without the right consent, is still marketing and it is against the law.”

For me, managing consent that has been withdrawn under LI through well managed suppression lists is a much more efficient and effective way to manage marketing data without restricting the reach of your marketing material.

Either way though my main objection is to the blanket statement informing us we all need to switch to a new legal basis of processing and mocking "experts" when it really is a fair bit more complicated than that.

Thanks (0)