In our previous article*, we looked at some key scenes from the first season of the GDPR. This next part takes a peak at what’s likely to be the main plot for season 2 (spoiler alert).

One point often overlooked by some who felt that 25 May 2018 was a bit of an anti-climax is that it was never intended to be a finishing line. In fact, Elizabeth Denham (the UK Commissioner) repeatedly emphasised in the lead up to that date, including in her myth-busting blogs, that “GDPR compliance will be an ongoing journey” and that it’s “not an end point, it’s just the beginning”. The beginning of what though?

The answer lies in the data protection principle (DPP) of accountability. You’ll recall that this new DPP makes clear that controllers are not just responsible for complying with the other DPPs, but that controllers must also be able to demonstrate their compliance.

Accountability involves implementing technical and organisational measures which are risk-based and proportionate, and which are reviewed and updated as necessary. In terms of measures, think policies, contracts, records of processing, data protection by design & default, DPIAs, DPOs and more. These measures were previously recommended as ‘good practice’, but are now mandated by the GDPR in many situations.

At the ICO’s 2019 annual conference, the UK Commissioner said that for her, “the crucial, crucial change the law brought was around accountability. Accountability encapsulates everything the GDPR is about.” She went on to say that it involves “seeing data protection as something that is part of the cultural and business fabric of an organisation.”

This chimes with the fact that “creating a culture of accountability” had been identified as a strategic priority by her Office in its Information Rights Strategic Plan 2017-2021. Accountability is also (for example) highlighted in the ICO’s Regulatory Action Policy as a basis for reducing the severity of a sanction when things go wrong (as they inevitably will at some point).

So it makes sense that the few GDPR enforcement cases we’ve seen over the last year from across the EU arise out of accountability issues. In fact, looking at those cases, it’s not the severity of the sanction that’s of any particular note (except, perhaps, in the case of CNIL’s fine levied against Google). Rather, it’s the fact that these cases illustrate the consequences of contravening DPPs other than the security principle (which, historically, has been the focus). Take, for example:

  • Datatilsynet (the Danish SA) issuing a DKK1.2m (c.£140k) fine to a taxi company, Taxa 4x35, for contraventions of the data minimisation and storage limitation DPPs.
  • UODO (the Polish SA) issuing a PLN1m (c.£200k) fine to a data broker, Bisnode, for a contravention of the right to be informed.
  • The GBA (the Belgian SA) issuing a €2k fine to a mayor who sent an email for election purposes to an email address he had obtained in the performance of his mayoral duties, in contravention of the purpose limitation DPP.
  • CNIL (the French SA) issuing a €50m fine to Google for lack of transparency, inadequate information and lack of valid consent relating to ad personalisation.
  • The ICO issuing its first GDPR enforcement notice to HMRC for a lack of a valid lawful basis for its processing of biometric data in the context of its Voice ID service.

Whilst the recent sweep by the Global Privacy Enforcement Network indicates that many organisations have started on their journey to creating a ‘culture of accountability’ when it comes to data protection (worth a read if you want to get a feel for where your organisation sits in relation to the five indicators assessed against), it’s equally clear from the results of that sweep that there’s much more to be done for many organisations. Adam Stevens, the ICO’s Head of Intelligence, was quoted as saying this of the sweep:

“The findings suggest that whilst organisations contacted by the ICO and our international partners have a good understanding of the basic concept of accountability, in practice there is significant room for improvement.

“It is important that organisations have appropriate technical and organisational measures in place. This includes having clear data protection policies, taking a ‘data protection by design and default’ approach and continuing to review and monitor performance and adherence to data protection rules and regulations.”

No surprise then that the UK Commissioner recently observed – based on breaches reported to the ICO (which have quadrupled to 14k), cases her Office investigates (which have doubled to 41k) or audits conducted – that she hasn’t yet seen the change in practice from data protection being a box ticking exercise to it forming part of the cultural and business fabric of organisations. This is why, although media focus in the coming months will inevitably be on fines as the outcomes of investigations launched by the ICO and DPC start to come through, accountability is likely to be the main plot for season 2.

CNIL says that “The year 2019 will be decisive in giving credibility to the new legal framework and turning this ambitious European gamble into operational success.” Leaving aside the interesting choice by CNIL of the word ‘gamble’ to describe the GDPR, it seems that accountability is how the SAs are banking on achieving that outcome.

*Please read the previous article by clicking here.

Authors