A summary of the most important themes to emerge from this sell-out event, hosted at Reed Smith on 31 January 2019
The Privacy & Data Protection Group held their sell-out annual update on 31 January 2019. Here are the six key takeaways from the event as compiled by the team.
2018 was the “year of the data breach” - Ian Deasha from the ICO said that the ICO has received some 45,000 cases / complaints since the GDPR’s implementation. He observed that individuals have a reasonable awareness of their rights under the GDPR but, in many cases, do not follow procedures implemented by organisations for exercising these rights, and immediately resort to reporting to the ICO. There were roughly 9,000 self-reported incidents in 2018. The ICO is yet to issue a major fine under the GDPR. Under DPA 1998, the ICO had issued major fines for 8 data protection cases (e.g. Facebook, Equifax and Uber) and 11 PECR cases.
ICO is focusing on ‘digital’ - In terms of the ICO’s priorities, its key focus includes cybersecurity, AI and cross-tracking of devices. In particular, the ICO is focussed on its Information Rights Strategy Plan, and the Innovation Directorate, which will result in the publication of the Big Data 2.0 paper. The ICO plans to reach out to academics and businesses to identify how best the ICO could help organisations tackle key issues under the GDPR in this regard.
Companies should adopt a “holistic” approach to understanding data protection issues - Stewart Room from PWC advised institutions to identify the threat vector and understand its potential effects and outcomes, in order to prevent data protection breaches from arising.
We are seeing emerging trends in regulatory sanctions and civil litigation – The first sizeable fine under GDPR was CNIL’s fine against Google. We are seeing re-emergence of issues such as the right to be forgotten (e.g. NTI / NT2 v Google), whilst issues relating to quantification of non-material damage, and questions around plural controllership, continue to be considered by courts.
No “one-size-fits-all” approach to data subject access requests (“DSARs”) – Rebecca Miller from Channel 4 offered practical tips on how to effectively deal with DSARs on an institutional level. In particular, she noted the importance of establishing the identity of the individual submitting the DSAR early on in the process. She also suggested that existing systems within organisations should be used to ensure there is a streamlined and efficient process of dealing with DSARs.
Varied approaches to Brexit adopted across the board – Given the political uncertainty, it was clear from the panel discussions that organisations have adopted varying approaches when it comes to preparing for a potential hard-Brexit. Most organisations have started some degree of planning work. Some steps that organisations could take to prepare for Brexit include: mapping major vendor contracts and related data flows; reviewing data sharing agreements and assessing any potential amendments; preparing template FAQs for vendors to explain rationales for any Brexit-related amendments to contracts; and preparing template amendment clauses to data sharing agreements to expedite the process as and when these clauses need to be used.