GDPR has given organisations much to think about, and rightly so. While business do not typically intend on abusing personal data, many large corporate do – and they’ve been getting away with it for years. Users often have a casual sense of indifference towards how their personal information was gathered and how it is being used. This status quo is rapidly changing. That change will be driven by the right of individuals to receive financial compensation for an misuse of their personal data.
We expect 2019 to be the year of Data Protection fines and the year that both corporate and personal views on the use of personal data will change. In the 70s Irish people did not have seatbelts in cars, the Sony Walkman was the ultimate personal music device and the state’s drink driving slogan was “Don’t have that 5th pint”. We have very different perspectives on these issues now. Likewise, we are likely to leave this year with a significantly changed attitude towards the use of our personal data.
The year has started without delay. Google (€50m) and Yahoo ($28m) have received fines for misuse of data and poor corporate governance relating to data protection respectively. This is likely to continue at pace and to follow three overlapping themes;
- The fining of high-profile tech giants. These companies routinely use our personal data for proposes that we are not explicitly aware of. This typically involves profiling of a person or tracking locational data for the promotion of goods or services. We will see many more global brands at the sharp end of regulatory attention as the year progresses. This activity can also be used to support political or interest group objectives. This activity warrants another level of discussion which is not the focus of this piece.
- ‘Bricks & mortar’ businesses receiving attention from regulators. More traditional types of business that are not part of the ‘e’ world will receive fines for the misuse of personal data, and in particular where there is conflict with customers or staff. Business managers need to learn to treat personal data in the same way as a doctor’s practice treats a patient’s data, and use it with restraint. It is a good time for operational and HR officers to engage with this regulation more thoroughly.
- Individual awards to subjects – driving the real change. At some point during the year individuals are going to be awarded landmark fines against organisations who have misused their data. Once precedents are set for the magnitude of a fine for a particular infringement anywhere in Europe, an avalanche of claims will follow. Many claims will be as a result of genuine misuse, however I suspect many more will be opportunistic. Organisations need to act now, and not take comfort in a belief that this will not affect them or that this is just an IT issue.
There will be much written over the coming months about the impact of data protection enforcement and the changes needed in industry. Let’s hope that the debates are swift and that mid-range organisations are not left in the firing line while the real abusers fight it out in the European courts. Without wanting to sound too much like a cautions seamstress, ‘a stitch in time saves nine’ and simple advance action can save a significant amount of effort later.
FIVE steps to protect against data protection fines;
- Document and track the purposes for which you obtain data. This will prepare you for the deletion of personal data and to respond to access requests.
- Inform subjects of the use of their data and their rights – contracts and notices.
- Train your staff so you do not unwittingly walk into a data protection related liability. Top offenders are likely to be; recruitment processes, staff management, customer contracts and the use of cctv or biometrics.
- Data security; Take appropriate care to protect personal data in your possession – data in both electronic and paper formats.
- Documentation; This is mandated by law. If you want to be audit-ready and compliant you must have the appropriate documents in place.
The ‘year of data protection fines’ has started and as the publicity around fines continues the current level of indifference by individuals is likely to change. We can expect lots more action and real change in the management of personal data during 2019.
We welcome comment on this view of the year ahead and look forward to returning to this theme as the year concludes.
If you found this piece useful please let us know and feel free to share with others.