Connect with us

Hi, what are you looking for?


WFH, algorithms and multi-million-pound fines: the year in data protection

Zoom working from home

My final column of 2020 is in two parts. In this first part, I reflect on what a strange year we’ve had – picking out some of the highlights from an information law perspective. In part two, I’ll be looking forward to what 2021 may bring.

Of course, 2020 has been entirely dominated by the impact of COVID. It has been a difficult year for so many businesses. And the pandemic has thrown up all sorts of data protection challenges. Most obviously, organisations had to adapt to new ways of working, which for many of us has involved working from home. For employers, this led to a much greater emphasis on information security – reviewing and managing the additional risks associated with homeworking, training a newly remote workforce and ensuring that good habits in data governance are preserved. As the emergency situation earlier this year has given way to a new ‘normal’, organisations now need to make sure their internal policies and procedures reflect this new reality.

The new normal also means new types of data collections. This includes hospitality and retail companies needing to obtain track and trace details, workplace testing for COVID, and even data about family members when an employee is required to self-isolate. Some of this data constitutes information about health, which is a special category. Organisations need to take particular care in this area, thinking about the lawful basis for the data’s collection, appropriate retention periods and updating privacy notices.

In some cases, this has required data protection impact assessments to be carried out at speed. This has been challenging for businesses large and small. The Government has also faced its own challenges. Back in the spring, it pinned its hopes on its contact tracing smartphone app, but data protection and privacy concerns almost derailed the whole project and led to a fundamental change of approach.

Moving away from specific COVID-related data, the summer’s major row over A level and GCSE results led to an important public debate about the use and potential abuse of algorithms, and their role in automated decision-making. Even among data protection practitioners, it’s fair to say the rules around automated decision-making were not widely understood. This row brought them to the forefront of our minds, although the decisions to scrap results by algorithm prevented the ICO or the courts from ruling on their scope. The use of algorithms is only likely to grow in the coming years, so this is one issue that is not going away.

Away from the pandemic, the law continued to develop. While (thankfully) there weren’t any major legislative changes this year, we have had new case law. In April, the Supreme Court issued its judgment in the Morrisons case. The Supreme Court overturned the decisions in the High Court and the Court of Appeal, which had previously held that Morrisons was vicariously liable under the Data Protection Act 1998 for the actions of a disgruntled employee who deliberately leaked payroll data of thousands of employees onto the internet.

Data protection cases rarely reach the Supreme Court, so this decision was significant. Employers were pleased with the result, although the Court did affirm the principle that employers can be vicariously liable under data protection law for the actions of their employees (just not on the facts of this case).

This case provided a timely reminder about training staff to handle data appropriately. In July, the European Court of Justice released its judgment in the much-anticipated Schrems II litigation. The decision invalidated the EU-US Privacy Shield and once again called into question the legitimacy of international data transfers. This is likely to be a big issue in 2021, particularly in light of the Brexit changes ahead – more on this in my next column.

In such a challenging year, day-to-day information governance work took something of a back seat. The ICO made an early and decisive statement that it would be giving organisations impacted by COVID additional leeway, which was very much welcomed and certainly helped to manage some of the initial pressures. But despite the challenges of the pandemic, the regulator’s work hasn’t stopped, and some major cases were resolved.

In October, British Airways and Marriott International finally received their much-delayed GDPR fines. As you may remember, in the summer of 2019 the ICO announced its intention to fine these companies £193m and £88m for serious security breaches. However, the companies made additional representations and so the ICO had to reconsider its approach. The fines issued were massively discounted compared to the original notices of intention, with British Airways receiving a fine of £20m and Marriott £18.4m. These are still huge numbers, but much lower than initially proposed, so in a way, British Airways and Marriott achieved a good outcome. Nevertheless, the era of multi-million-pound data protection fines has truly arrived.

The ICO has also been busy with new guidance. Practitioners have particularly welcomed new subject access requests guidance. The new accountability framework provides much clearer advice on the documents and actions the ICO expects organisations to take to meet their accountability obligations. Elsewhere, regulators have increased the pace of GDPR enforcement, from minimal fines to multi-million euro ones. For instance, the CNIL in France recently fined the Carrefour supermarket chain over €3m for various infringements and Twitter was fined €450,000 by the Irish DPC. There’s an irony in that we’re getting more examples from across Europe at just the moment when these decisions will cease to have an impact in the UK.

With everything that’s happened in 2020, it’s easy to forget that the GDPR and the Data Protection Act 2018 are still very new laws. All of us – businesses, practitioners, the regulator and the courts – are still working through new situations and new challenges. It has undoubtedly been a challenging year, with data protection issues never far from the headlines. In my next column, I’ll look ahead at what 2021 may bring.

Read more:
WFH, algorithms and multi-million-pound fines: the year in data protection

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Get the daily email that makes reading the news actually enjoyable. Stay informed and entertained, for free.
Your information is secure and your privacy is protected. By opting in you agree to receive emails from us. Remember that you can opt-out any time, we hate spam too!



Unemployment rate steadied in June, while job quality improved to its best in over a year, the Philippine Statistics Authority reported on Monday. Preliminary...


Follow us on Spotify BusinessWorld B-Side By Patricia B. Mirasol, Reporter speaking to Bernardo M. Villegas WITH EVERY CHANGE of administration comes the question of...


In line with the national government’s thrust to transform the Philippines through PPPs and collaboration between LGUs and the private sector, Iloilo City Mayor...


Click to enlarge. Click to enlarge.   Spotlight is BusinessWorld’s sponsored section that allows advertisers to amplify their brand and connect with BusinessWorld’s audience...


As the Aboitiz Group embarks on a Great Transformation towards becoming the first “techglomerate” in the country by 2025, the company’s power arm is...


Security Bank Corporation (PSE: SECB), one of the Philippines’ leading universal banks, has been serving retail, corporate, institutional, and MSME clients since it opened...

You May Also Like


Having a good Instagram marketing agency to back up your Instagram account is an absolute must going into the new year. With competition stronger...


Ivermectin, an existing drug against parasites including head lice, has had a checkered history when it comes to treating COVID-19. The bulk of studies...


Insomnia is the most common sleep disorder in the global population. Therefore, it is a problem that many people suffer or have suffered throughout...


Instagram still holds the top spot for social media in terms of building brand reputation and expanding business potential. Every day, more and more...

Disclaimer:, its managers, its employees, and assigns (collectively "The Company") do not make any guarantee or warranty about what is advertised above. Information provided by this website is for research purposes only and should not be considered as personalized financial advice. The Company is not affiliated with, nor does it receive compensation from, any specific security. The Company is not registered or licensed by any governing body in any jurisdiction to give investing advice or provide investment recommendation. Any investments recommended here should be taken into consideration only after consulting with your investment advisor and after reviewing the prospectus or financial statements of the company.

Copyright © 2021 SmartRetirementReport. All Rights Reserved.