Celebrating Data Privacy Day

Today, 28 January, marks Data Privacy Day, an annual commemoration by regulators and organisations of the importance of respecting privacy, safeguarding data, and enabling trust.

When did Data Privacy Day become a celebration?

In 2006, the UK agreed to follow the Council of Europe’s initiative in setting one day a year aside to observe data privacy. This was prompted by polling which highlighted that many European citizens did not understand their data protection rights.

The annual observation date later became 28 January, the anniversary of the signing of Convention 108 on 28 January 1981. This year marks 41 years since the convention was opened for signature and will be the sixteenth year the UK has celebrated Data Privacy Day. To date, 55 countries have signed or ratified the convention, and 128 countries have implemented national data protection laws.

Convention 108 was the first legally binding international treaty in relation to data protection. It became the influential starting point for many member states as it required parties to incorporate similar principles within their domestic legislation to ensure the “fundamental rights of all individuals with regards to processing of personal data” were protected.

Data privacy law post-Brexit

In the UK, much of our legislation around data protection derives from the EU General Data Protection Regulation. The myth that GDPR does not now apply in the UK since Brexit is wrong. The UK continues to apply the principles, and non-EU based businesses will remain caught by the UK’s application of GDPR due to section 207 of the Data Protection Act 2018.

The adequacy decision given by the European Commission (EC) to the UK on 28 June 2021 was another milestone and step forward in terms of data protection. The EC’s decision to grant adequacy highlighted their recognition that the UK have similar data protection rules to the EU post-Brexit, and that there is appropriate safeguarding in place to facilitate lawful international data transfers under the GDPR with member states.

The decision allows data to freely flow between the UK and EU member states for a period of four years, until June 2025. This is due to its unprecedented ‘sunset clause’ which strictly limits the duration of the adequacy decision.

After this period, the adequacy decision will automatically expire, and the decision will be reviewed. This will be subject to the UK satisfying the EU’s requirements of ensuring that there is an adequate level of data protection.

Transfers for the purposes of UK immigration control are excluded from the scope of the adequacy decision.

How to ensure your organisation is compliant with data protection regulations

There are several ways that you can ensure your organisation is meeting your data protection responsibilities. These include:

• Recognising your legal obligation
• Ensuring all information collected complies with Data Protection Act and GDPR requirements
• Establishing an effective information governance program
• Appointing a data protection officer where appropriate
• Maintaining regular audits to assess and monitor data compliance
• Maintaining records of what information systems hold data and the reasons why it is collected
• Creating a workplace culture that recognises the importance of good data governance and safeguards privacy well
• Reviewing the accessibility of this data periodically to ensure it is only used by those authorised
• Implementing a data breach response plan
• Monitoring any Intrusion Prevention System to ensure an adequate level of protection
• Ensuring all policies and procedures are up to date and refer to the latest technology or organisational change

 The benefits of having an effective privacy framework

Having an effective privacy framework could benefit your organisation, as it:

• Ensures you are compliant with current and prospective legislation (if regularly reviewed)
• Reduces the risk of fines and other sanctions from otherwise possible breaches
• Establishes a company culture that respects privacy, and recognises data protection is important to protect brand value and reputation
• Supports efficiency and innovation
• Creates a competitive advantage if the framework is a distinguishing feature from competitors in your industry
• Improves overall stakeholder trust by providing transparency about how your company handles data

Sanctions for breaching data

Organisations who are not compliant with GDPR risk causing damage to their reputation and face severe financial penalties.

There are two levels of GDPR fines in the UK. The lower level relates to fines up to £8.7 million, or 2% of annual global turnover. The higher level carries a maximum fine of £17.5 million, or 4% annual global turnover.

The money received from the fines goes to the HM Treasury Consolidated Fund and is distributed across various public sectors including health, education and justice.

Data breaches and subsequent fines are becoming an active area for scrutiny by the Information Commissioner’s Office’s (ICO), who issued a record £42 million in fines in 2020/2021. This is an increase of 1,580% compared to the previous year.

The latest recorded figure of £42 million came predominantly from two high-profile data breaches. The first was British Airways, who were fined £20 million in October 2020 for the failure of security which led to a cyber-attack in 2018, causing harvesting to important 429,612 customer data such as name, address, payment card and booking details. The ICO found the airline had been processing “a significant amount” of personal data without adequate security measures in place.

A similar infringement was made by Marriott International, who were fined £18.4 million for causing a data breach that globally exposed 339 million guests’ personal data, including payment details and passport information.

The ICO also found during the investigation that Marriott failed in their due diligence of Starwood IT systems when they completed the purchase from the Starwood Hotels Group in 2014.

Other recent notable fines made by the ICO or other international regulators, include:

• Ticketmaster was fined £1.25 million in November 2020 for the failure to implement appropriate security practices to prevent a cyber-attack on a chat-bot installed on its online page, affecting up to 9.4 million customers across Europe.
• H&M was fined £32.1 million in October 2020 by the German data protection watchdog for the illegal surveillance of its employees. The watchdog found that H&M kept excessive records of its employees and subjected them to attend a recorded meeting on their return from holiday or sick leave. This was used to create a “detailed profile” of each worker and influenced decisions about their employment.
• Google was fined €220 million (£189 million) in 2019 by the French regulator for failing to make consumer data processing statements easily accessible and not seeking consent of users for use of their data in advertising campaigns.

Data privacy during the pandemic

The issue of privacy has never been more prevalent, particularly in light of the pandemic, with a recent survey carried out by Egress revealing that almost half of UK consumers would join a class-action lawsuit against a company that had breached their personal data.

During the lockdowns of 2020 and 2021, many public and private organisations were forced to close abruptly and adopt various measures overnight in line with government guidance.

Whilst these measures varied depending on the type of business and industry, common examples like accommodating a more permanent work-from-home environment resulted in an enhanced reliance on technology for many workers.

In addition to this, the collection of personal information regarding health, travel, and vaccination has brought data privacy to the forefront of many corporate agendas.

The ICO’s annual 2021/21 report highlighted that UK organisations should be mindful of the “lack of public faith” when it comes to companies managing data, due to the constant threat of email phishing and rise in ransomware attacks.

Whilst the number of incidents reported since Q1 2019/2020 reduced from 3,091 to 2,431 in Q2 2021/2022, this shortfall is generally understood to be unrepresentative of the level of risk and issues, and likely derives from the measures imposed by the government in response to the pandemic.

Interestingly, across the same period when many people were restricted to working from home, ‘data emailed to the incorrect recipient’ became the most common incident, accounting for 14% of reported incidents.

The number of reported incidents relating to software misconfiguration and ransomeware also surged by 700% and 564% respectively.

Healthcare and education were the two sectors that suffered the most in terms of dealing with cyber related incidents and personal data breaches. Again, this looks to be another direct consequence of the pandemic, as staff in these sectors transitioned to work and teach remotely, often for the first time.

How we can help

Managing risk relating to the processing of data is a significant undertaking for any organisation. It becomes particularly difficult when the topic is highly technical, and the concept is constantly evolving without clear boundaries.

Our data protection legal experts can support you on any issue regarding GDPR and legal compliance. Please contact us to discuss your requirements.

Our sister company, specialist human resources consultancy, Kent HR, can also assist with template policies for both data protection and employee privacy. They can also review any existing policy you have in place to provide you with complete peace of mind.

This content is correct at time of publication