Employment News

News added on 28.05.2019



The GDPR one year on - key developments

Now that the GDPR has been in force for twelve months, what are the key developments that have occurred over the last year?

Fines and compensation for breach

Whilst no GDPR fines have yet been issued by the Information Commissioner’s Office (ICO) (all fines over the last year were imposed under the UK’s predecessor data protection legislation, the Data Protection Act 1998), a €50 million fine was imposed by the French equivalent of the ICO on Google in January 2019, for failing to comply with its transparency and information obligations in its privacy notice and failing to have a legal basis for the processing of personalised advertising. For now, it remains unclear how exactly GDPR fines are to be calculated by regulatory authorities and when a significant fine might be appropriate. In the meantime, in May 2019, the ICO issued an enforcement notice (but not a monetary penalty) on HMRC, after it found it to be in significant breach of the GDPR by processing voice recognition data without a lawful basis. HMRC was required to delete the relevant data by June 2019.

Employers are also now vulnerable to vicarious liability for GDPR personal data breaches committed by their employees, following the Court of Appeal’s decision in WM Morrison Supermarkets plc v Various Claimants 2018. We can therefore probably expect to see more class actions from groups of individuals seeking compensation for data breaches as a result. Leave has been granted for Morrisons to appeal to the Supreme Court and that appeal is likely to take place in 2020.

In addition, more than 100 monetary penalty notices were issued by the ICO in November 2018 to organisations that failed to pay the annual data protection fee.

Data subject access requests

It seems that there has been a substantial increase in data subjects exercising their rights since the GDPR came into force, most notably their right to make a data subject access request (DSAR).  It’s now free for individuals to make a DSAR and they’re more aware of their GDPR rights than they were under the predecessor legislation. However, there’s still no regulatory guidance on what is meant by a DSAR being “manifestly unfounded” or “excessive”.

Personal data breach reporting

1,792 personal data breaches were reported to the ICO in June 2018, after the GDPR came into force, compared to just 367 in April 2018 and the ICO has said that organisations are over-reporting. There therefore continues to be some confusion by organisations about the circumstances under which they’re required to report personal data breaches; the breach reporting obligations don’t apply where there’s unlikely to be any risk to the individuals affected and they only apply to breaches of security, not to general breaches of data protection law.

What else can we expect?

A finalised text of the proposed ePrivacy Regulation is still awaited from the EU (and is unlikely to be agreed before late 2019) and so this area of the law, particularly with respect to cookie consent and e-mail marketing, remains somewhat in a state of limbo and is likely to remain uncertain for a considerable period of time.

Further guidance from the ICO is also still awaited, including in particular an updated version of the Employment Practices Code, which sets out data protection guidance and good practice recommendations on such key employment matters as recruitment and selection, employment records, monitoring at work and information about workers’ health.

Fnally, now that your GDPR privacy notices, policies and procedures have all had a year to bed in, it’s important to remember that they’re not static documents and so now is the time to give them a health check. Make sure they accurately reflect how you process personal data and consider whether they’re working effectively or whether they could be improved. If your GDPR staff training programme was a year ago, now is also the time to refresh that.

A €50 million  fine has been issued in France for a breach of the GDPR, but the first GDPR fines in the UK are still awaited. There’s been a substantial increase in data subject access requests for organisations to deal with, and they’re also tending to over-report personal data breaches to the Information Commissioner’s Office. If you’ve not already done so, spring clean your GDPR privacy notices, policies, procedures and training programme now that they’ve had a year to bed in.

© Indicator - FL Memo Ltd • Telephone: (01233) 653500 • Fax: (01233) 647100 • customer.services@indicator-flm.co.uk • www.indicator-flm.co.uk
Calgarth House, 39-41 Bank Street, Ashford, Kent TN23 1DQ • VAT GB 726 598 394 • Registered in England • Company Registration No. 3599719