GDPR – One Year On. The News? Who’s asking, It Might Be Protected Information?
“Do you know of a General Data Protection expert who could advise me and my business about it all?
“Yes, I certainly do.
“Oh thanks, so tell me, who can help me then?
“No, I can’t tell you who it is, that’s protected data.”
I trust that old chestnut has you rocking with laughter. (Lawyers’ jokes are not for everyone perhaps.)
I’m strictly a bit late for the “one year on” blog cliché. Still it’s only July 2019 and the implementation date of GDPR was 25th May 2018. So, what’s been occurring?
The first effect for many companies was a worried revision of their own processes and systems. Many of them were hampered by a less than clear understanding of what the new Data Protection Regulation actually said. Or Meant.
OK? What does it say? – Here it is for you to read – Link –
I guess you probably are not going to do that, now that you can see the length of the Regulation. If you have read it, you will see that the above is the European overreaching regulation. It includes a requirement that the member States must their own rules of implementation.
In the case of UK, this is the Data Protection Act 2018 – Link Here –
So let me guess, you’re not going to read all of that either.
It does turn out to be a bit of a problem, that by and large the Laws of this Country and most others are just too damn long. How can we all obey what we can’t be bothered to read and wouldn’t clearly understand if we tried?
Take email marketing. It is not made illegal by the GDPR. But if it is done, it must be done in accordance with GDPR. So, again, how can we know what to do if the wording is impenetrable?
Many companies, including the well-known Wetherspoon pub restaurant chain, simply decided they couldn’t be bothered with the whole game of soldiers and deleted their entire customer marketing database.
Others meet the problem by deciding that if some of the data they hold is subject to the Regulation, then they will be OK if they never share any of their data with anyone. Not the most helpful thing in my line of work. I am often instructed to assist a student seeking to work abroad, by checking then notarizing that their University Degree is genuine. If the degree was from a USA University, I have just phoned up and asked the question and the receptionist has checked the computer and told me the answer.
In England, not so easy! “GDPR, innit.”
So it’s a year on from the implementation of that Regulation you’ve heard about.
The English enforcer for the Regulation seems to be the Information Commissioner’s Office and its website is showing a list of the enforcement actions it has taken.
Here is – the link-
I don’t know about you but there seems something oxymoronic about the information revealed above.
It enables you and me to browse through it without any business reason to do so, perhaps whilst bored at work, to learn of the misdemeanours of others.
Yebbut, one of the things we can read about, is the prosecution of a person Wendy who browsed through her employers’ database “without any business reason to do so” and read records of anti-social activities of others.
It doesn’t say why she did it, chances are that she was bored at work and passed the time reading about the misdemeanours of others? Fined £300.00.
Anyway, the page lists various examples of behaviour which will get you in trouble if you do it. Many are the sort of thing you would expect to get people into trouble. A schoolteacher moving pupil data to his home computer. A medical centre worker accessing details of patient health records. An employee copying the employer’s computerised customer list – perhaps in contemplation of setting up in competition and canvassing those customers.
Of course the majority of breaches are more what you might expect on a larger scale – unsolicited PPI phone calls, unconsented releases of customer data to third parties some of them involving many million individual people.
And the page does also give a highlight to the fact that enforcement notices but not fines have been served against the Met police, and HM Revenue and Customs.
It seems that the use of computers to assist the Met in coping with gang crime in London goes beyond what is reasonable.
Your view? – On the one hand, gangs very bad, catch and prosecute gangs very good.
On the other, how many of us support blanket facial recognition and CCTV everywhere as China seems to be pursuing – too much computerisation very bad?
With HM Revenue & Customs the breach was a lack of clarity in obtaining “consent” to the implementation of voice recognition software on the helplines.
Neither the Met nor HMR&C have been prosecuted or fined.
Again, it seems me counterproductive anyway to fine the Police, who don’t generate any money, or the HMR&C who do generate it or at least collect it, but spend it on Hospitals and Benefits and all of the Public Infrastructure that is so hard up.
But what would or should the Information Commissioner do, if ever there is a breach by HMR&C which in their opinion is so blatant as to deserve a swingeing fine?
The rules allow imposition of a fine of 4 per cent of global turnover. I don’t know whether the Revenue has any turnover at all. If it does, presumably, that’s the amount it collects. Which in year ended 2018 was over £605,000,000,000.00.
Although even if there were a fine of £24 billion, where do fines go? Into the general tax fund. Not much point as an exercise, fining the Taxman. As you were then, carry on.
None of the above relates to hackers. But as recent cases show, the activities of hackers have resulted in breaches of GDPR which have far outweighed the seriousness of breaches caused by bored employees, or by ill thought-out systems.
Two cases tower above the rest – those of Wm Morrison Supermarkets, and just yesterday, British Airways.
In the first case, a malicious employee with a grudge against the supermarket released protected information about 5,518 workers there. Morrisons have been found by the ICO not to be in breach of its protection compliance obligations. They had done all they could pretty much, apart from requiring every computer operator to work in tandem with another in order to keep each other honest. The problem there was not in inherently weak computer system vulnerable to hackers outside the building. Even so they are still fighting to avoid having to pay damages.
In the second, -Link Here – British Airways is alleged by the ICO to have failed to maintain the level of computer security required of it by the GDPR.
What is their fine? Over £183,000,000.00.
ICO can point to the fact that the maximum penalty could have been in the region of £488,000,000.00. Still a little salty though.
The hope is that an unbelievably huge fine like this will start a rush to improve systems across industry as a whole to the immense benefit of the consumer. Or…..The cynical may simply view this as the first of many such monster fines, each providing a boost to the Government’s Consolidated Fund at huge cost to the long term viability and competitiveness of British industry.
My own unofficial poll indicates that the average citizen of Leeds is a firm believer in GDPR, strongly determined to keep their personal data a secret to themselves.
Why else do they never indicate their intention at roundabouts?
Here’s a song –Link Here-
Remember, if you require our services or if you have any queries on any of the services that we offer then please so not hesitate to email us firstname.lastname@example.org and email@example.com.
Or alternatively please telephone on 0113 8160116 or 07715608747. Please also feel free to visit our website http://www.atkinsonnotary.com