Connect with us

Hi, what are you looking for?

Investing

WFH, algorithms and multi-million-pound fines: the year in data protection

Zoom working from home

My final column of 2020 is in two parts. In this first part, I reflect on what a strange year we’ve had – picking out some of the highlights from an information law perspective. In part two, I’ll be looking forward to what 2021 may bring.

Of course, 2020 has been entirely dominated by the impact of COVID. It has been a difficult year for so many businesses. And the pandemic has thrown up all sorts of data protection challenges. Most obviously, organisations had to adapt to new ways of working, which for many of us has involved working from home. For employers, this led to a much greater emphasis on information security – reviewing and managing the additional risks associated with homeworking, training a newly remote workforce and ensuring that good habits in data governance are preserved. As the emergency situation earlier this year has given way to a new ‘normal’, organisations now need to make sure their internal policies and procedures reflect this new reality.

The new normal also means new types of data collections. This includes hospitality and retail companies needing to obtain track and trace details, workplace testing for COVID, and even data about family members when an employee is required to self-isolate. Some of this data constitutes information about health, which is a special category. Organisations need to take particular care in this area, thinking about the lawful basis for the data’s collection, appropriate retention periods and updating privacy notices.

In some cases, this has required data protection impact assessments to be carried out at speed. This has been challenging for businesses large and small. The Government has also faced its own challenges. Back in the spring, it pinned its hopes on its contact tracing smartphone app, but data protection and privacy concerns almost derailed the whole project and led to a fundamental change of approach.

Moving away from specific COVID-related data, the summer’s major row over A level and GCSE results led to an important public debate about the use and potential abuse of algorithms, and their role in automated decision-making. Even among data protection practitioners, it’s fair to say the rules around automated decision-making were not widely understood. This row brought them to the forefront of our minds, although the decisions to scrap results by algorithm prevented the ICO or the courts from ruling on their scope. The use of algorithms is only likely to grow in the coming years, so this is one issue that is not going away.

Away from the pandemic, the law continued to develop. While (thankfully) there weren’t any major legislative changes this year, we have had new case law. In April, the Supreme Court issued its judgment in the Morrisons case. The Supreme Court overturned the decisions in the High Court and the Court of Appeal, which had previously held that Morrisons was vicariously liable under the Data Protection Act 1998 for the actions of a disgruntled employee who deliberately leaked payroll data of thousands of employees onto the internet.

Data protection cases rarely reach the Supreme Court, so this decision was significant. Employers were pleased with the result, although the Court did affirm the principle that employers can be vicariously liable under data protection law for the actions of their employees (just not on the facts of this case).

This case provided a timely reminder about training staff to handle data appropriately. In July, the European Court of Justice released its judgment in the much-anticipated Schrems II litigation. The decision invalidated the EU-US Privacy Shield and once again called into question the legitimacy of international data transfers. This is likely to be a big issue in 2021, particularly in light of the Brexit changes ahead – more on this in my next column.

In such a challenging year, day-to-day information governance work took something of a back seat. The ICO made an early and decisive statement that it would be giving organisations impacted by COVID additional leeway, which was very much welcomed and certainly helped to manage some of the initial pressures. But despite the challenges of the pandemic, the regulator’s work hasn’t stopped, and some major cases were resolved.

In October, British Airways and Marriott International finally received their much-delayed GDPR fines. As you may remember, in the summer of 2019 the ICO announced its intention to fine these companies £193m and £88m for serious security breaches. However, the companies made additional representations and so the ICO had to reconsider its approach. The fines issued were massively discounted compared to the original notices of intention, with British Airways receiving a fine of £20m and Marriott £18.4m. These are still huge numbers, but much lower than initially proposed, so in a way, British Airways and Marriott achieved a good outcome. Nevertheless, the era of multi-million-pound data protection fines has truly arrived.

The ICO has also been busy with new guidance. Practitioners have particularly welcomed new subject access requests guidance. The new accountability framework provides much clearer advice on the documents and actions the ICO expects organisations to take to meet their accountability obligations. Elsewhere, regulators have increased the pace of GDPR enforcement, from minimal fines to multi-million euro ones. For instance, the CNIL in France recently fined the Carrefour supermarket chain over €3m for various infringements and Twitter was fined €450,000 by the Irish DPC. There’s an irony in that we’re getting more examples from across Europe at just the moment when these decisions will cease to have an impact in the UK.

With everything that’s happened in 2020, it’s easy to forget that the GDPR and the Data Protection Act 2018 are still very new laws. All of us – businesses, practitioners, the regulator and the courts – are still working through new situations and new challenges. It has undoubtedly been a challenging year, with data protection issues never far from the headlines. In my next column, I’ll look ahead at what 2021 may bring.

Read more:
WFH, algorithms and multi-million-pound fines: the year in data protection

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Get the daily email that makes reading the news actually enjoyable. Stay informed and entertained, for free.
Your information is secure and your privacy is protected. By opting in you agree to receive emails from us. Remember that you can opt-out any time, we hate spam too!

Latest

Economy

Thailand’s Phuket will ban travel from the rest of the country from Aug. 3 to 16 to try to stop a surge in coronavirus...

Investing

More than 5 million people had a parcel lost or stolen last year, according to Citizens Advice, which has called on the government to...

Investing

The number of people on furlough fell below two million towards the end of June as the economic recovery gathered pace, official figures show....

Investing

Amazon signalled last night that its breakneck growth will slow over the coming months as people emerge from pandemic restrictions. Net sales at the...

Investing

Speculation that the chancellor will delay his budget until next year is mounting after he instructed the spending watchdog to publish new forecasts without...

Investing

A further 30 black students starting at Cambridge University will have their tuition and living costs covered thanks to a scholarship scheme started by...

You May Also Like

Investing

Having a good Instagram marketing agency to back up your Instagram account is an absolute must going into the new year. With competition stronger...

Investing

As a traditionally rigid insurance industry becomes bogged down by antiquated processes and operations, a handful of industry leaders are seeking to shake things...

Economy

US President Joseph R. Biden, Jr., will rely on ally countries to supply the bulk of the metals needed to build electric vehicles and focus on...

Economy

THE Securities and Exchange Commission (SEC) has warned the public from investing or to stop any investment in a group named Maxxprofit Computer Trading...

Disclaimer: SmartRetirementReport.com, its managers, its employees, and assigns (collectively "The Company") do not make any guarantee or warranty about what is advertised above. Information provided by this website is for research purposes only and should not be considered as personalized financial advice. The Company is not affiliated with, nor does it receive compensation from, any specific security. The Company is not registered or licensed by any governing body in any jurisdiction to give investing advice or provide investment recommendation. Any investments recommended here should be taken into consideration only after consulting with your investment advisor and after reviewing the prospectus or financial statements of the company.

Copyright © 2021 SmartRetirementReport. All Rights Reserved.

Get the daily email that makes reading the news actually enjoyable. Stay informed and entertained, for free.



Your information is secure and your privacy is protected. By opting in you agree to receive emails from us. Remember that you can opt-out any time, we hate spam too!