The GDPR-ready practice: One year on
It’s been a year since GDPR hit the headlines, accompanied by a flood of emails seeking consent, and the scramble for policies and compliance is a memory for practices that adopted the rules. Since the UK Data Protection Act 2018 and GDPR came into force in the UK in May 2018, what did we learn, where are we now and what are our challenges?
Employment law expert Annabel Kaye runs us through a number of recent breaches and learning points and outlines what’s coming next over the data privacy horizon.
Marketing and GDPR
Last year there were a lot of ‘experts’ saying consent was not necessary for marketing emails, texts, phone calls. They totally ignored the effect of the Privacy and Electronic Communications Regulations (PECR) and did not check their lists against the Telephone Preference Service (TPS) or equivalent for texts.
Grove Pensions Solutions Ltd relied on such advice and was fined £40,000 for unsolicited emails. While they may have a case against their advisor, incorrect advice is not a defence to an ICO fine.
In a similar vein, Tax Returns Ltd was punished for unsolicited text marketing campaigns. The company sent 14.8m unsolicited texts and was fined £200,000. Alistair Green Legal Service made 213 nuisance calls and was fined £80,000. Even funeral planners got in on the act, as Avalon Direct Ltd made 52,000 calls and were fined accordingly.
If you are relying on ‘legitimate interest’ for your direct marketing, it is time to put that right. Get active, express consent (not relying on pre-ticked boxes) except where you are marketing-related services to an existing client.
People are a challenge
Individuals are still a big source of data privacy leaks.
Leaking candidate details to his partner by forwarding them to a personal email account got Kevin Bunsell fined. Faye Caughey was overcome by curiosity and accessed records she did not need for work. Shamim Sadiq was also fined for sending personal data to a personal email account.
Sending client and colleague data to her personal email account also got this administrator fined.
These problems can be easy to prevent if you restrict access to records to those who need it for their work. Depending on your system, you can also potentially ask it to flag up (and seek extra authorisation for) personal data being emailed to personal email accounts.
If you combine active monitoring with training, you will find your information is more secure than if you simply rely on one-off training and a policy document.
Data breaches increasing
Unsurprisingly, self-reported data breaches increased. Some 4,056 were reported in the last quarter of 2018/19. The professions have not been without their share of problems. In the legal profession, failure to properly redact material has been a problem, giving rise to 200 breaches, or just under 5% of the total.
In the finance sector, disclosure of documents is the biggest issue (293) with data security (145) a long way behind.
Are the professions less secure data handlers? This is highly debatable. The more regulated industries are likely to be more used to self-reporting, so it may be that the professions are simply more likely to report a breach.
There has been an increase in the use of data sharing portals for data that needs encryption. There are many on the market but for the end customer, the onboarding process can be difficult. Anyone who is not tech savvy can struggle with working out what to do.
There is a need to properly support clients or colleagues through the process of adopting this technology. Some of the onboarding has been as sparse as “use the supplier’s help facility”. This is hardly a great way to encourage secure document sharing for clients who are new to it all.
Many clients still work with paper and want to transmit paper, rather than e-documents. Many practices are considering the costs of remaining on a paper-only system for clients who cannot or will not move to electronic documents, compared to the cost of onboarding and training those who are left in the land of paper.
There will be a niche for local practices that turn up to your office or home with a file (and where you can do the same at theirs), but as the digitisation of information from tax submissions to legal documents increases, this is likely to be an economic cul-de-sac for many firms.
Using the appropriate technology to secure data is increasingly going to include the basics such as encryption, VPNs and firewalls.
When firms allow data to be shared on devices it is very easy to lose, and many practices have not woken up to the benefits of simple encryption.
Whilst many practices have had their own equipment secured, informal ‘bring your own device’ policies and working at home policies often drive a coach and horses through security without anyone particularly noticing.
Policies are for life not just for deadlines
It is important to review your policies to make sure they still reflect the way you work today, the information you need (and why), the systems you put it into, and the people you share it with.
Organisations that were fully ‘up to speed’ on GDPR in May 2018 could potentially drift away once the deadline is passed. New software, new equipment, new staff or new working practices can quickly make security processes out of date.
Some practices got halfway to compliance and were then overwhelmed with other deadlines. We all know the terror of that unfinished project lurking in the cupboard somewhere.
Tendering for large contracts and panel-related work
We are already seeing 2019 tenders requiring GDPR compliance and asking lengthy questions on data security, policies, risk monitoring and more. Whatever the ICO is doing by way of enforcement, the big corporates have now built GDPR into their tender system. It is unlikely any firm will get shortlisted if they cannot demonstrate a reasonable understanding and level of compliance.
In due course, this will trickle down as due diligence extends down the contracting/supply chain.
Consumers too are becoming more aware of data privacy issues. Whilst some simply do not seem to give it a moment’s thought, others are already building this into their choices about who they share their information with and who they do business with.
Regulatory change is not over
The EU intends to update its e-privacy laws in July 2019. This is likely to affect UK standards, whether we Brexit or not, since we are committed to GDPR for the foreseeable future and staying aligned with the EU data privacy regime.
Once we Brexit, the UK will apply to the EU to have our data standards recognised as adequate. Once that hurdle is negotiated, we will then be on the list of countries in which data on EU/EEA citizens can be processed without additional contractual measures. This process will take some time. During the gap, those practices needing to access data on EU/EEA citizens will need to rely upon the appropriate cross-border contractual wording to upgrade their agreements with clients in order to validate working on data in client files.
If we Brexit, the EU-U.S. Privacy Shield Framework that underpins our ability to use many US-based servers will need updating in the USA to include the UK in its wording. It is not clear how long that might take to come into effect. In any event, the EU continues to show concerns about the adequacy of the U.S. Privacy Shield arrangements, an essentially voluntary code.
While it is hard to look into the future and predict what platforms and security measures professional practices will be using in the future, or even which exact regulatory framework will ultimately govern us, it is clear that there are real issues with data privacy and data sharing in the world at the moment. We cannot view ourselves as providing a professional service without actively securing data.
You might also be interested in
Annabel co-founded Irenicon in 1980 and during the last 30+ years, managed to juggle being a mother to her two children with advising clients on everything to do with the tough side of HR. From flexible working and parental leave to discrimination and TUPE - she loves the