22 June 2020
GDPR and Data Protection Act 2018 – Two Years On
By Faye Cheung, Researcher
It has been over two years since the EU’s General Data Protection Regulation (GDPR) was implemented across the EU together with the Data Protection Act 2018 (DPA) in the UK. GDPR and DPA have introduced stricter data protection measures than the previous legislation (Data Protection Act 1998) by bringing data protection and information rights in line with the digital age, introducing more stringent transparency requirements and enhanced data security for individuals. This has inevitably led to challenges for many businesses in order for them to make the necessary changes and improvements to ensure data protection compliance. This article will take a look back at some of milestones associated with the new data protection legislation and consider what might be next for data protection in the UK.
Enforcement Milestones
Prior to the implementation of the new data protection legislation, a survey carried out by the Information Commissioner’s Office (ICO) in 2018 showed that nearly 50% of the respondents, who were Data Protection Officers, felt that they ‘faced unexpected consequences as a result of GDPR and DPA 2018’.[1] In reality, the new legislation simply tightened previous law and there were actually no monetary penalties under DPA 2018 in 2018-19 and there have been few since. This is mainly because personal data breaches which pre-date 25 May 2018 are governed by the DPA 1998. 2018-19 was actually a record-breaking year for monetary penalties under the DPA 1988.[2] According to their annual performance report, they issued 22 monetary penalty notices for breaches, which totalled £3,010,610. This included a fine of £500,000 to Cathay Pacific and a fine of £500,000 to CRDNN Limited for making more than 193 million automated nuisance calls.[3] £500,000 was the maximum permitted under DPA 1998 and these two fines were the ICO’s highest ever fine to that date. Whilst these figures may concern businesses, it shows that there were always strong legal data protection obligations for businesses prior to GDPR. Under GDPR and DPA 2018, the maximum penalty is now 20 million euros or 4% of the undertaking’s total annual worldwide turnover.[4]
Within the EU the UK is set to be the country with the highest total sum of fines but with the least number of fines. The ICO have issued an intention to fine Marriott International, Inc more than £99 million under GDPR for data breach[5] and an intention to fine British Airways a whopping record-breaking £183.39 million under GDPR for data breach[6] but these have yet to be actually issued. The British Airways fine will be the highest GDPR monetary penalty in the EU to date.
More details of other enforcement action taken by the ICO in the UK is available on the ICO website. Details of GDPR enforcement action across the EU can be found at the following website: http://www.enforcementtracker.com
What Next – Data Protection After the Brexit Implementation Period
There are seven months left until the implementation period ends. It is understood that GDPR will be brought into UK law as the ‘UK GDPR’ but, as explained by the ICO, ‘there may be time for further developments about how we deal with particular issues such as UK-EU transfers’.[7] The default position, regardless of a deal or no-deal, is that GDPR will be brought into UK law as ‘UK GDPR’. However, there is some uncertainty around this. On the 27th May 2020 the Committee on the Future Relationship with the European Union held a virtual evidence meeting to question Michael Gove and David Frost on Brexit negotiation progress. Gove said that the UK ‘is a world leader in making the case for the highest possible standard of data protection’. Gove also seemed to acknowledge the possibility of some kind of departure from GDPR provisions: ‘we apply EU law in this country through GDPR, that should ensure adequacy, unless for some reason there is some rupture with that’.[8] The reason for such rupture and the extent of such possible rupture is unclear. Brexit negotiations continue this month.
In the meantime, businesses should follow Brexit related data protection guidance issued by the Information Commissioner’s Office, which is available here.
What Next – Data Protection and the Health Service
It has been interesting to see how GDPR and DPA operate within these extraordinary times. The Covid-19 crisis has shown that the legislation offers flexibility and scope for pragmatism when dealing with public emergencies. The ICO have been quick to reassure public health authorities of this, highlighting that the Data Protection Act 2018 allows ‘data sharing where it supports necessary and proportionate action’.[9] It has also clarified that data protection and electronic communication laws also do not stop Government, the NHS or any other health professionals from sending public health messages to people, either by phone, text or email, as these messages are not direct marketing.[10]
To conclude, GDPR and DPA is likely to have increasing significance for businesses and individuals as personal data becomes more and more valuable to a growing range of stakeholders. We will eagerly await further developments from the government’s Brexit negotiations and keep an eye out for data protection news. For more information about the DPA 2018 and its enforcement, readers should look out for the publication of the ICO’s latest annual report.
This article was first published on Forum Business Media’s GDPR online resource https://www.gdprorb.co.uk/content-partners
[1]‘ Information Commissioner’s Annual Report and Financial Statements2018-19, Information Commisioners Office, 8th July 2019, <https://ico.org.uk/media/about-the-ico/documents/2615262/annual-report-201819.pdf> accessed 31st May 2019. Page 18.
[2] ‘Information Commissioner’s Annual Report and Financial Statements2018-19’, Information Commissioners Office, 8th July 2019, <https://ico.org.uk/media/about-the-ico/documents/2615262/annual-report-201819.pdf> accessed 31st May 2019. Page 18.
[3] ICO, 2nd March 2020, <https://ico.org.uk/action-weve-taken/enforcement/crdnn-limited-mpn/> accessed 2nd June 2020.
[4] Data Protection Act 2081, s 157.
[5] ICO, 9th July 2019 <https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2019/07/statement-intention-to-fine-marriott-international-inc-more-than-99-million-under-gdpr-for-data-breach/> accessed 31st May 2020.
[6] ICO, 8th July 2019, <https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2019/07/ico-announces-intention-to-fine-british-airways/#:~:text=Following%20an%20extensive%20investigation%20the,British%20Airways%20in%20September%202018> accessed 31st May 2020.
[7] Information rights and Brexit Frequently Asked Questions, ICO, 16th January 2020 <https://ico.org.uk/media/for-organisations/documents/brexit/2617110/information-rights-and-brexit-faqs-v2_3.pdf> accessed 2nd June 2020.
[8] Recording from 27th May 2020 <https://parliamentlive.tv/Event/Index/51a625aa-1e27-47ac-81c5-5afe7bdbdc64> accessed 31st May 2020. This particular discussion comes at 14.19 on the video.
[9] ‘Health, social care organisations and coronavirus – what you need to know’, ICO, <https://ico.org.uk/global/data-protection-and-coronavirus-information-hub/data-protection-and-coronavirus/health-social-care-organisations-and-coronavirus-what-you-need-to-know/> accessed 2nd June 2020.
[10] Health, social care organisations and coronavirus – what you need to know’, ICO, <https://ico.org.uk/global/data-protection-and-coronavirus-information-hub/data-protection-and-coronavirus/health-social-care-organisations-and-coronavirus-what-you-need-to-know/> accessed 2nd June 2020.
© Naomi Korn Associates, 2020. Some Rights Reserved.