In May 2018, our inboxes were overflowing with e-mails from organisations, some of whom might not have been in contact for years, asking for us to consent to our data being processed. We are now nearly a year and a half on from the introduction of the Data Protection Act 2018 which implemented the General Data Protection Regulation (GDPR) into UK law.
Data Controllers, the likes of Trustees and employers, must recognise that data protection compliance is an ongoing process that did not end on 25 May 2018. Now is a good time to ensure that your scheme remains compliant.
Here is a reminder of the changes brought in by GDPR:
Where has the challenge been?
While some businesses tried to be fully compliant by 25 May 2018, others took the view that it was enough to take the minimum steps to comply. Full compliance entails not just understanding but evidencing with a data protection impact assessment, data mapping, deciding upon various policies on matters such as data retention, along with the production and issue of Privacy Notices.
Quantum has been assisting clients meet their data protection obligations through our QSuite offering (a suite of template policies, procedures and guidance notes to assist with demonstrating compliance). QSuite needs to be reviewed at least annually to ensure all documents are fit for purpose, and to ensure that any change to, or new method of, processing personal data, is captured.
While the Information Commissioner’s Office (ICO) initially applied a light touch approach to enforcement, it did take action and fined a number of organisations such as Facebook and Equifax for serious breaches.
The European Data Protection Board (EDPB) issued a report in February 2019 that showed since the GDPR was enacted, they have issued fines totally nearly €56 million. The vast majority of this was €50 million by The French Prudential Supervision and Resolution Authority (Autorité de contrôle prudentiel et de résolution – ACPR) issued to Google. Since then, the ICO fined Bounty UK £400,000 in April 2019 for selling personal data.
More recently, the hotel chain, Marriott International, Inc., is likely to face a fine of £99.2 million as a result of about 339 million hotel guest records being leaked in 2014 through the Starwood Group (acquired by Marriott in 2016). While this was before GDPR came into effect and relates to the IT records from an acquisition, the ICO says that the hotel chain is being fined because it failed to take sufficient due diligence at the time of the acquisition. This demonstrates how GDPR can have a huge impact on merger and acquisition activity, and how Data Controllers are accountable and must have full understanding on what data they hold.
To avoid receiving penalties, it is essential that you understand:
- the personal data you have
- how it is processed
- who processes it
- the risks to members rights and freedoms of the processing
- what mitigation you have in place to reduce this risk.
The QSuite toolkit helps you to demonstrate the above and forms a solid foundation for GDPR compliance for any scheme.
What should Trustees be doing today?
The ICO has published materials to assist businesses understand their ongoing obligations under GDPR. These include:
a. Reviewing GDPR documents to see if there have been any material changes to your scheme, the purpose, the scope of data processors (suppliers). Consider whether any changes to your scheme over the past year such as change of benefits, suppliers/adviser etc will have any impact.
b. Ensuring that you have carried out all your necessary DPIAs for all new services, products and suppliers and if necessary, issue updated Privacy Notices.
c. Reviewing data minimisation procedures to determine if any data that you as the controller, or your processors hold on your behalf, is no longer relevant. While reviewing data is not a new requirement, it is important to only hold personal data that is specific and required for your purpose. This is especially important in the case of special categories of personal data.
Where is GDPR heading?
a. Increased focus on compliance and increasing penalties. We have seen an increasing willingness from the ICO to issue penalties to firms who have fallen short of their data protection obligations. Any period of grace the ICO might have offered to become GDPR compliant now appears to be over. Therefore, if your scheme is not compliant, action should be taken on as soon as possible. Whereas previously it was enough to show you were working towards compliance, the ICO has recently stated that, now we are more than a year on, the focus should be more than “baseline compliance”.
b. The EDPB has issued guidance on how the regulatory framework would work for a GDPR certification regime. This opens the door to businesses getting GDPR accreditation in much the same way that they would achieve ISO 9001 /27001.
All it takes is one data breach for the ICO to start investigating your scheme. If this does happen, you need to be confident you can show that you had the security of members’ data at the heart of what you do and can back this up with clearly defined processes and procedures.
It isn’t too late to review your data protection system and to make changes to ensure that you are up to date. Speak to your consultant if you want to find out more about QSuite and what Quantum can do to help your scheme maintain its GDPR compliance.
Samantha Willoughby, Compliance Manager