GDPR- Top tips two years on

On 25 May 2018 the General Data Protection Regulation (GDPR) came into effect, and was heralded as the EU’s biggest shake up of data protection regulation to date.

In the run up to ‘GDPR-Day’ we were inundated with emails from businesses asking us if we wanted to “stay in touch” and asking us to re-consent to email marketing. Businesses scrambled to put in place GDPR compliant privacy policies by the 25 May deadline, with the threat of fines at a maximum of €20 million or 4% of annual global turnover on the horizon.

However, the reality is that many organisations had not completed their GDPR preparations by that date, and with the perceived grace period for implementation over the last year, many companies are still behind.

This week, over a year after the GDPR came into force, we saw the ICO issue its first public fine, hitting British Airways with a huge £183m fine (although still some way under the maximum 4% of annual global turnover that could have been issued).  Before this, fines under the GDPR had been limited. Over the past year there had been €56 million in fines issued against errant organisations, of which €50 million was issued against Google by the French data protection office and the balance split between much smaller fines throughout the EU.

Notwithstanding, what is obvious is that individuals are more conscious than ever about what data they share, who they share it with, and what those organisations then do with it.

The GDPR is intended to be an exercise of ongoing compliance, rather than a tick-box-exercise. Our top tips for achieving ongoing GDPR compliance are below:

  1. Policies and Procedures

As a bare minimum, organisations should make sure that they have in place GDPR compliant privacy policies and cookie policies, and have systems and procedures in place to record their processing activities (including processing purposes, data sharing and retention).

If you are carrying out processing that is likely to result in a high risk to individuals, you must ensure that you carry out Data Protection Impact Assessments (“DPIA”).

This is not the end of the exercise, however, with the ICO stating in their annual review earlier this year that one of their focuses for 2019 is ensuring that organisations move beyond ‘bare compliance’.

  1. Register with the ICO and pay the relevant fee

This requirement is easy to satisfy. Any organisation that is a data controller needs to register with the ICO and make payment of the annual data protection fee. This is one area where the ICO has been cracking down on both larger and smaller companies, and imposing significant fines for non-payment.

  1. 3rd Party Contracts

The GDPR requires organisations (data controllers) to enter into written contracts containing specific provisions with any 3rd party that processes personal data on its behalf (data processors).

This is one area where we often see organisations falling behind, and particularly where personal data is transferred outside of the EU. Having in place a standard set of contractual provisions which can be included in any terms of service or supplier agreement can be simple way of ensuring that this element of compliance is dealt with.

  1. Data Subject Access Requests

Does your organisation know how to handle a Data Subject Access Request (“DSAR”)? Over the past year we have seen an increase of DSARs, and in particular those issued by employment lawyers or litigators looking to secure a tactical advantage. Individuals do, however, have a right to access their personal data, and organisations need to know how to respond to these in an effective and efficient manner to avoid expending unnecessary time and resources or a breach of the individual’s rights.

  1. Ongoing training

Many organisations will have carried out some element of training in the run up to the GDPR deadline last year, but it is always sensible to ensure that staff are kept up to date. Organisations should consider running regular refresher training, particularly for staff who handle large amounts of personal data including HR and marketing. This is key for understanding what to do in the event of a breach, upon receipt of a DSAR, and when to carry out a DPIA.

  1. Appoint a Data Protection Officer (if necessary)

The GDPR makes it a legal requirement to appoint a Data Protection Officer (“DPO”) if (a) you are a public authority or body, (b) your core activities require large scale, regular and systematic monitoring of individuals (for example, online behaviour tracking), and (c) your core activities consist of large-scale processing of special categories of data or data relating to criminal convictions and offences.

Organisations can also choose to voluntarily appoint a DPO.

The DPO can be an existing member of staff, or externally appointed.

  1. Work towards “data protection by design and default”

This means you have to integrate or ‘bake in’ data protection into your processing activities and business practices, from design right through the lifecycle. Data protection by design is about considering data protection and privacy issues upfront in everything you do. It can help organisations to ensure that they comply with the GDPR’s fundamental principles and requirements, and forms part of the GDPR’s focus on accountability.

Brexit frustration

Following the UK’s decision to leave the EU, the medicines regulator, the European Medicines Agency (EMA), decided to relocate from its Canary Wharf premises to Amsterdam. The EMA tried to bring their lease at to an end, maintaining that the 25 year lease, granted in October 2014, would be ‘frustrated’ by the potential withdrawal of the UK from the EU.

Key to the court rejecting their argument was the length of the lease (25 years), the absence of a break clause and the ability to assign and underlet the premises.

The court’s decision would clearly have had a significant impact, if it had gone the other way.  Whilst it has prevented the floodgates opening for now, it is also unlikely that this is the last we will hear of this type of argument.  Some commentators have suggested that, where parties can show a common purpose to the signing of the lease, specifically it being dependent on the UK remaining within the EU, judges may have a more sympathetic ear. The EMA have sought leave to appeal …. watch this space.

This was the one of two cases covered by Michael Lewis, head of property disputes at Sherrards, and Ben Walters who were guest speakers at a recent CPD training day run by South of England Surveyors for over 100 surveyors based on the south coast.

The Taste of Victory

Due to a recent ruling by the European Union Intellectual Property Office (“EUIPO”), any business across Europe is now permitted to use the name “Big Mac” on any of their products in stores. The change comes after the relatively small Irish restaurant chain, Supermac, won a  long running battle against McDonald’s to have use of iconic Big Mac trademark cancelled across Europe.

The global powerhouse McDonald’s ultimately lost the case for their trade mark due to an inability to prove “genuine use”. The McDonald’s defence included providing  print-outs of its websites, examples of advertisements and packaging, three signed affidavits from its executives, and a print out of its Wikipedia page as evidence that it sells Big Macs across the EU and deserves a trademark. This was not sufficient evidence in the case however and the EUIPO held that, “Even if the goods were offered for sale, there is no data about how long the products were offered on the given web page or in other ways, and there is no information of any actual sales taking place”.

In the end, McDonald’s lost their monopoly over the name Big Mac, which is sure to be a huge blow to the company due to Big Mac being considered one of the most easily recognisable brands on the planet.  We are waiting on news of any appeal but for now the real question that we must ask ourselves is “can you call it a Big Mac if it has bacon?”