The implementation of the GDPR and the Data Protection Act 2018 in May 2018 caused great excitement and confusion in the SME community. Disappointingly, it seemed that the media only focussed on the high new fines and the increased powers of the Information Commissioner’s Office (ICO), rather than shedding light on the realistic impact for individuals and organisations.
It’s fair to say that most small businesses found the preparation for the new data protection rules a painful process. The FSB worked hard to provide information and practical guidance to its members.
What has happened?
The ICO has recently issued a report detailing their work over the last year, especially around their support for individuals, organisations and Data Protection Officers but also highlighting action they have taken.
It’s clear from the report that members of the public are now more aware of their privacy rights and they are rightly holding organisations to the higher standards of protection of their personal data. Most organisations worked hard to implement change programmes to achieve compliance, and this builds trust with customers.
The ICO has on more than one occasion confirmed that it’s not about issuing big fines. Through the adoption of a regulatory policy they aim to: respond effectively to breaches, be proportionate in the application of sanctions, continue to support compliance with the law and be proactive in identifying new risks from technological and societal change.
The ICO received around 14,000 personal data breach reports from 25 May 2018 to 1 May 2019.
Interestingly they closed over 12,000 of these cases during the year. Of these, only around 17.5% required action from the organisation and less than 0.5% led to either an improvement plan or civil monetary penalty. The report helpfully lists examples of reported breaches where no further action was required, where further action was required from the organisation, but did not require formal action from the ICO and an example of a breach where the ICO took formal action.
The report also highlights a sharp rise in complaints from the public (over 41,000 from 25 May 2018 to 1 May 2019) with subject access requests being the highest complaint category. In addition, the ICO has issued their first penalty notices for non-payment of the data protection fee.
Ongoing compliance and accountability
Compliance with the GDPR and the DPA 2018 is an ongoing process. Businesses should continue to focus on their accountability and demonstrating how they comply with the rules.
As a reminder, FSB members have access to a suite of GDPR documents and guidance notes available on the FSB Legal Hub. It should be used in conjunction with the extremely useful resources that are available on the ICO website. In addition, FSB members have access to the FSB Legal Advice Line for queries around data protection matters and cyber security concerns.