Five Lessons to Learn From the First GDPR Fine

So we’ve finally entered the brave new world. The first GDPR fine has arrived, just the 571 days since the GDPR came into force(!)

Those desperate for the era of loud headlines about massive fines will be disappointed. The initial reaction of many might easily be: is that it?

However, read past the £275,000 and you will find many significant lessons that all organisations should quickly absorb. The fine marks a shift in how the ICO investigates and assesses breaches. And it contains glimpses of what everyone should be doing with GDPR in 2020. Here’s out top five lessons to learn:

1. Paper policies mean nothing on their own

Paperwork should match reality. And once that paperwork states your specific approach, the practice required to deliver it has to be embedded. Without this, the right culture and daily practice to actually manage personal data in accordance with data protection principles will always be missing, risking a breach.

Learn more…

2. A breach of any aspect of GDPR will now always trigger an investigation into other critical aspects and your ability to demonstrate your processing is performed in accordance with the GDPR

Organisations that are able to demonstrate their approach will benefit under this enforcement regime; they will be able to demonstrate their processing is done in accordance with GDPR even in the event of a genuine, one-off human error, reducing the risk of enforcement action.

Learn more…

3. Assessing risk is critical to getting data protection right

There is no “one size fits all” approach to data protection. The GDPR requires and enables organisations to take account of many elements when making decisions on how they will manage data protection (e.g. the individuals whose data they handle; the sensitivity and volume of the personal data processed; what they will be doing with that data; their resources and their appetite for risk). Failure to do this means an organisation will struggle to engage the ICO in a discussion about the proportionality of, and rationale behind, their approach.

Learn more…

4. How much impact would the ICO’s assessment have on your reputation?

Consumers, partners, suppliers, supporters, the media: the expectation that organisation should value personal data and therefore handling it appropriately will continue to risk in 2020, as more headlines are made from enforcement and examples of poor practice.

Learn more…

5. You can help yourself

Recognising the seriousness of a breach; self-reporting where required; reacting quickly to mitigate any issues where you can, and working with affected data subject and the regulator – with a particular focus on understanding what records, conduct, and actions they want to see from you – is likely to greatly help your case.

Learn more…

1. Paper policies mean nothing on their own

Reading not too deeply between the lines, you can fairly conclude that Doorstep took the approach many did before 25th May 2018: simply get some template policies, get some Data Protection Officer guidance and push out a privacy policy…and consider it job done.

The ICO noted that “…the few procedures and guidelines which did make reference to the GDPR…were templates from the National Pharmacy Association and they did not appear to have been incorporated by Doorstep…” and that “the practical advice provided to staff…[was] vague.”

Doing the work required to take guidance and templates and turn them into organisation specific, relevant, fit-for-purpose policies and practical procedures is critical. Policies should be in your own business language and easily understood internally by staff and externally by clients, users, third parties etc…

Making sure those policies and procedures are then actually working in practice is the next critical step. The failure to do this could be seen as the main cause of Doorstep’s breach: their written procedures said that “all waste containing patient identifiable information […] is cross shredded before disposal” but there was no contract between Doorstep and the company they used for this work.

As the ICO concluded “whatever shredding policies or contract Doorstep…may have had in place at the time of the Breach, they were not being correctly implemented.”

Back…

2. A breach of any aspect of GDPR will now always trigger an investigation into other critical aspects and your ability to demonstrate your processing is performed in accordance with the GDPR

The GDPR now forces the ICO to always take into account, whatever the nature of the breach, the measures implemented by an organisation in relation to (i) security and (ii) Data Protection by Design and Default.

This is due to the criteria outlined in Art 83(1), which seeks to ensure fines are “effective, proportionate and dissuasive” in each case.

Most significantly of all, the wider obligations placed on an organisation to “implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with [the GDPR]” (Art 24(1) were also considered in the case.

The ICO commented that Doorstep sought to “downplay” the seriousness of the wider contravention of the GDPR “other than the breach” – i.e. the ICO was asking probing questions about their approach beyond simply the specifics of just the breach.

Doorstep was found to have infringed this obligation because it “adopted inadequate data protection policies, and kept inadequate records of its data processing activities and security measures” so could not “demonstrate that its processing is performed in accordance with GDPR

This last line should be noted: the ICO does not say Doorstep “failed to comply with the GDPR,” rather that they could not demonstrate that their processing of personal data was being performed in accordance with GDPR.

Back…

3. Assessing risk is critical to getting data protection right

The nature of your business and what personal data you process have always been important; they are more important than ever now as they should underpin your assessment of risk when deciding how to manage data protection.

The key Articles (24 and 32) as well as 25 require organisations to take account of the “nature, scope, context and purposes of processing” and the degree to which the rights and freedoms of individuals (whose personal data they will be processing) will be affected.

The ICO noted that the “…volume and sensitivity of the data plainly gave rise to a high risk to the rights and freedoms of the data subjects, warranting significantly more stringent data security measures than Doorstep…applied” and that “…given the nature  of Doorstep…business supplying medicines to care homes,  it appears likely that a high proportion of the affected  data  subjects  are elderly or otherwise vulnerable.”

The ICO concluded that “…Doorstep…failed to take account of the risks that were presented by the processing, in particular from accidental or unlawful destruction, loss, unauthorised disclosure of or access to the personal data stored, when assessing the appropriate level of security…

Back…

4. How much impact would the ICO’s assessment have on your reputation?

The ICO concluded that Doorstep were not intentionally breaching the GDPR. But they did believe there was “…considerable evidence of extremely poor data protection practice, amounting to significantly negligent conduct.

The ICO also highlighted that “…contrary to [Doorstep’s] representations, the [ICO] considers that these breaches are both repeated, and negligent in character. They would, taken on their own, be serious; taken with the Breach, the [ICO] considers that they are clearly sufficiently serious to warrant a penalty.

And the ICO made explicit reference to the sector and work Doorstep did: “Any controller in the kind of business carried on by Doorstep…ought to be well aware of its data protection obligations and be taking them far more seriously. The [ICO] therefore considers  that  the Breach resulted from a highly culpable degree of negligence on the part of Doorstep…

For any organisation that relies on contracts from health organisations and works with medical information about vulnerable people, such words from a regulator could have significant reputational and financial impact beyond the monetary amount of the fine. And this would be true for many organisations across many sectors, where trust and expectations of good governance remain critical.

Back…

5. You can help yourself

One aspect the ICO considers when deciding whether to fine, and how much to fine, is the degree of cooperation from the organisation.

Doorstep did not help themselves here: they first denied any knowledge of the matter; then refused to answer the ICO’s questions; then challenged the ICO’s Information Notice (compelling that they respond); and finally responded some 6.5 months later to the ICO’s request for information.

They suggested that their waste disposal supplier should be fined, and not them. They then, as part of their representations to the ICO, included more comprehensive policy documents…but many remained in template form…and had been acquired after the breach. In short, they did not help themselves with their approach to the ICO.

Despite all this, they still managed to get initial amount the ICO sought to fine them reduced by 31% (£400,000 down to £275,000)!

Back…

Final observations

Record Management is an unexpected star

Narrowly missing the top five lessons, the ICO’s focus on record retention and good record keeping is an interesting development.

First, the ICO highlighted that “security” means more than just protecting data from unauthorised access or disclosure; they made particular reference to the lack of protection from “accidental or unlawful destruction, loss, alteration” for the records that were found (they were found outside, some of the documents were soaking wet – and so, one assumes nearly destroyed and/or altered)

The ICO noted that Doorstep “did not have a retention policy at the time” and that Article 5(1)(e) of the GDPR (requiring data be kept in a form which enabled people to be identified for no longer than is necessary) would likely have been infringed.

The data protection principles have always had a direct relation to records management, especially the “storage limitation” and “data minimisation” principles. The two disciplines have become ever more intertwined. An actively enforced retention schedule and approach to secure records disposal will become ever more critical in 2020, as will broader approaches to efficient creation, storage and access to records  

Privacy will be the coming theme of 2020

That the ICO asked for a copy of Doorsteps privacy notice as part of their investigation into a breach focused on the security of the data was interesting.

The ICO assessed whether the notice met the GDPR’s requirements – noting that there were “very serious shortcomings in the information provided to [customers]…

The interesting thing is why the ICO considered this important; they noted that the transparency infringement “may have caused distress in the form of confusion or uncertainty about Doorstep’s… processing of sensitive personal data” and regarded it as a “…significant infringement of [customers’] right to transparency about the processing of their personal data, and is made more serious by the sensitive nature of the data

The ICO concluded “that it was particularly important to ensure that [people] were provided with all of the information required…, but Doorstep…paid little or no attention to its regulatory obligations in this respect.

Given the importance of privacy policies and notices when seeking informed consent – both for processing data, and placing cookies – and more broadly in making sure people are treated fairly and are informed about how their data will be used, 2020 will likely see a focus on how to achieve transparency under GDPR.

Back…