Why firms must stay on top of data protection

Data protection laws across the EU were strengthened with the introduction of the General Data Protection Regulation (GDPR), which took effect in May 2018. At the same time, the Data Protection Act 2018 came into force transposing the GDPR into UK law and replacing the Data Protection Act 1998.

Given that the regulation protected data from the EU including the UK at that time, this caused a flurry of activity in businesses. Employers in particular reviewed their data protection policies and updated contracts, which can no longer require an employee to give their automatic consent to data processing.

Firms also implemented new privacy notices for staff and employment candidates about how and why their data was stored and processed, how long it was retained and when it would be deleted.

Since the UK left the EU, the government has retained the data protections laid down by the GDPR. Although it is now regarded as a third country i.e., a country outside of the EU/EEA regions, in terms of such laws, all British data controllers should be aware of their obligations when it comes to storing and transferring data between the EU, EEA or other third countries.

It remains critical for employers and data controllers to ensure that their data processing policies and procedures remain up to date and comply with the 2018 Act. The government has indicated it will strengthen protections in the forthcoming Data Reform Bill, but this has not yet been published.

All data controllers should therefore regularly audit or assess whether their company remains compliant with good data protection practice and procedure. This will help an organisation identify whether it has effective controls in place to identify and mitigate any risk of a data breach, and in the event of such a breach ensure that there is an audit trail relating to its data management processes.

The Information Commissioner's Office (ICO) recommends that audits should scrutinise practices such as data governance, policy and procedures, and management of personal data, subject access requests (SARs), and requests from third parties such as overseas offices to share data. Staff training on data protection and technical and organisational measures to ensure data security should also be audited.

The data held on employees should be reviewed routinely to ensure that there is a legitimate purpose for retaining and processing it. On termination of employment, this can be kept for certain periods, with tax and pay records generally retained for up to six years.

The privacy notice provided to an employee should confirm how their data is held, processed and stored. It should also set out how long it will be retained and when or if it will be permanently deleted.

In some sectors, for example construction, medical or legal, data may need to be retained for compliance, regulatory or insurance purposes and in which cases, it will be necessary to retain data longer. Employees should be appraised of this so they can give proper, informed consent. Privacy notices should also deal with how personal data is processed, used or shared with third parties e.g., pension and healthcare providers and how it can be accessed particularly when secure IT systems are needed to enable remote access.

The same issues arise in recruitment. The data controller should have a privacy notice that is provided to candidates who apply for employment. Candidates should be informed where they can find the information on how their data is held and processed by the company, for example on a company webpage. Such a notice should give similar information as the employee privacy notice when it comes to processing, storage, retention and deletion of candidate data.

Generally, employers may retain candidates' data for at least three months before permanently deleting it. As candidates can bring discrimination claims about the recruitment process up to three months after a decision, an employer is well advised to retain documents, including any notes relating to meetings, interviews or the selection process.

There are several exemptions, and these include instances when there is legal privilege on the data, where data refers to third parties, and for crime, taxation or regulatory functions among others.

SARs are particularly common when there is a dispute, and many employees raise requests in the hope of finding information that will be beneficial to their claims against an organisation.

On receipt of an SAR, an organisation has 30 days to respond, although there is some scope to extend for a further two months if there are multiple requests or the request is complex and the data controller may need additional time to consider the request and respond. A full search for data needs to be carried out, and this can involve trawling an IT network as well as searching work emails and mobile phones.

That data then needs to be reviewed to weed out anything that is exempt before the results are shared with the individual. Failing to respond may lead to a complaint to the ICO, and it may penalise the data controller for not replying to the SAR or providing the requested data.

Where an organisation deems an SAR to be manifestly unfounded or excessive, it can refuse to respond. However, data controllers should seek professional advice at an early stage if they intend to reject a request on the basis of an exemption or deeming it excessive or unfounded. This may help mitigate the risk of disputes going to the ICO.

Under the GDPR, data subjects also enjoy the right to be forgotten and can request that their data is permanently and irretrievably deleted. An organisation will need to remain mindful of any legal requirement to retain certain data such as tax and pay records, but could consider anonymising that data where possible.

On this note, it is also no longer permissible to retain anyone's data for marketing purposes without their consent. An organisation must now have in place a process to delete such data on a permanent and irretrievable basis when a customer/data subject asks them to do so.

For instance, British Airways was fined £20m in 2020 for a data breach two years previously. The details of more than 400,000 customers had been compromised following a cyber-attack, which the airline apparently did not detect for some two months. More recently, the Royal Mail Group was fined £20,000 for a data breach.

As GDPR applies to any company that holds data about EU subjects, companies from outside the UK and EU must also comply or face penalties. In May, the ICO issued a fine of £7.5m against a US company, Clearview AI, and ordered it to delete all of the data it held on UK citizens. This followed a €20m fine by Italy's Data Protection Authority (DPA) in March, while a decision by the Austrian DPA is expected soon.

ICO action is not limited to these high-profile cases, and its website records financial penalties and enforcement notices issued against many smaller organisations. It is therefore critical that data controllers have a data protection strategy and monitor their policies and procedures to ensure their systems for handling and storing information are secure – especially with an ever-increasing threat of cyber-attack.

There are harsh penalties for sending messages to recipients who have not given their consent. For example, Reed Online Limited was fined £40,000 by the ICO in April this year for sending unsolicited emails. In a similar case of the same month, Finance Giant Ltd was fined £60,000 for sending unsolicited messages.

Data controllers who lose control of sensitive personal information by sending emails to the wrong recipients or fail to protect the identity of recipients on group emails have also been fined by the ICO. In December 2021, it fined the Cabinet Office £500,000 for disclosing the postal addresses of the 2020 New Year Honours recipients when a file containing the names and addresses of more than 1,000 people was posted on the government website.

The cost of a data breach to a business is not just the fine but also the reputational damage. Organisations may also find that they incur significant expenses for IT repairs, downtime, loss of productivity, and the legal and professional services needed to manage the fallout.

Data controllers have a duty to assess the risk to any person's rights and freedoms arising from a data breach and to report themselves to the ICO within 72 hours of a breach.

Reporting is not compulsory, and the responsibility for deciding whether the breach is serious enough to warrant this lies with the data controller. However, this is problematic because the ICO may not share their view.

If an organisation does decide not to report, a record of the breach and the reasons for this decision should still be kept, so this can be explained later if need be. A cautious approach is therefore preferable as a way of reducing the risk of criticism or sanction from the ICO.

It is worth noting that, even if an organisation does not regard a breach as reportable, an individual whose data has been compromised can still refer it to the ICO. All aspects of the breach therefore need to be carefully considered when deciding to report it or not. The ICO provides a helpful self-assessment online tool for data controllers.

In summary, data controllers should prioritise routine audits of controls, processes and training in data management, security and processing. It is likely that the forthcoming Data Reform Bill will change the legislation, so ensuring that your data management officers and managers keep up to date is essential.