Since the introduction of the UK government’s ‘Track and Trace’ system, we have seen the acronym ‘GDPR’ consistently floating around in the media. In this post, I am going to look at what the General Date Protection Regulations (GDPR) are and why it is so prominent in the media at the moment. I will also mention a big GDPR case and what this means for law firms.
What is GDPR?
As aforementioned, ‘GDPR’ stands for General Data Protection Regulations. The regulations originated from the EU’s desire to harden the laws on data privacy. Coming into force in 2018, the GDPR dedicated website claims them to be ‘the toughest privacy and security laws in the world’. Since the UK’s exit from the EU, GDPR has amalgamated into UK law and effectively applies to organisations all over the world.
The aim? To give citizens more control over their personal data. Under the legal definition, personal data encompasses your name, address, and photos. It also includes more sensitive information including your genetic and biometric data. Perhaps the key thing to understand about GDPR is that it replaces data protection laws written in the 1990s. In other aspects of life, we are still governed by laws that pre-date the 1990s. However, in a world obsessed with social media, online shopping and more generally the internet, it is vital that data privacy laws were up to date. In 1990, putting your details into an online portal and purchasing some socks was not really a ‘thing’, so you can see how there were conspicuous privacy issues under the previous law.
The fines for a breach of GDPR can be extreme. A fine can be anything up to 20 million euros or 4% of global revenue. Perhaps the largest fine issued by the Information Commissioners Office (ICO) in the UK was to British Airways. In July 2019, British Airways, and its parent group IAG was fined £183.9 million in connection with a data breach that affected 500,000 customers. The ICO deemed that British Airways had poor security when customers were logging in, paying on card, and inputting travel details. This is the highest fine the ICO has ever given – before that it was Facebook who were fined £500,000 thereby illustrating the effectiveness of the GDPR. After a year of negotiating, it is expected the amount British Airways pay will decrease.
Why is GDPR in the news so prominent right now?
A couple of weeks ago, privacy campaigners from the Open Rights Group (ORG) claimed that the UK’s response to the coronavirus outbreak has breached the rules, specifically the ‘Track and Trace’ system. The ORG claim that the government have not adhered to article 35 of the GDPR. Under article 35, organisations undertaking projects processing personal data must carry out a ‘Data Protection Impact Assessment’ (DPIA). This is essentially a risk assessment to ensure GDPR is not breached. Consequently, ORG have threatened to take the government to Court, forcing them to admit full due diligence and assessment on privacy laws was not carried out. Furthermore, the government have since agreed to reduce its data retention policy from 20 years to just 8 and to carry out a full DPIA.
The ICO have confirmed it is providing guidance to the government to ensure lawfulness and have reiterated they will take firm action against any organisations exploiting personal data. Considering it has recently come to light that individuals employed as contact tracers have allegedly shared details of COVID-19 patients, it is unclear how far the ORG will take this threat.
What does this mean for law firms?
Is it worth scaling back data privacy laws for the time being to combat the deadly virus? Of course, in the words of ORG, this will rely on mutual trust between the government and the public – something that just is not there right now. This brings me to the first major impact for law firms. It may be that smaller high street firms also pursue data privacy as channel of revenue. It seems that GDPR is just waiting for its ‘Miller’. If the government do continue to walk the fine line of GDPR, will individuals begin claiming against the government? Right now, the answer to this question is not very clear. Nevertheless, small to medium law firms should look to invest in this area to be proactive.
The second major impact of GDPR moves away from the current pandemic. A breach of GDPR for a large company can be damaging. Reputational damage for harvesting personal data can be dire for businesses. Many Facebook users are putting less personal data online due to fears of hacking or their data being used for something ridiculous, like maybe to rig the American presidential election – crazy right? Perhaps even more damaging for a company like British Airways is the financial impact. It is no secret that due to COVID-19; the airline’s financials are struggling. Most full-service commercial will law firms already have data privacy departments, but it seems that now is the time for them to be investing in order to protect, or go after, those big companies breaching the rules.