Three eras - the sunset of £500K, the dawn of GDPR enforcement and the horizon of Brexit

In just a short space of time, the ever-evolving world of data protection and cyber has seen yet more change:

1. Potentially one of the last enforcement actions under the Data Protection Act 1998 against Equifax - and a maximum £500,000 fine for them for failing to secure UK citizens' personal data against breach. This is against the UK part of the organisation but for its failure to secure the data while being held by the US-based group company. 
2. News of the first enforcement notice from the ICO against Canada's Aggregate IQ - the organisation that assisted with the profiling and targeting of adverts to gain support for Vote Leave. Interestingly, the notice lists a range of non-compliances including processing without a lawful basis, and failing to provide transparency information to the individuals whose data it was. The notice requires the data processing to be ceased, and it is dated 6 July but was only reported in the media on 20 September. Aggregate IQ have filed a notice to appeal the enforcement notice. We wait to see what happens next. This is, of course, all part of the deeper investigation into political campaigning which has been ongoing with the ICO for some months and has already resulted in fines for Vote Leave itself and Emma's Diary. 
3. Brexit - the government published its paper on the no deal implications on data protection. There were two key takeaways - firstly that the UK had hoped an "adequacy decision" from the EU would allow personal data to continue to transfer between the EU and the UK, but that this may not now happen in time; and, secondly, if that is the case, the EU model clauses are intended to be used for data transfers should the adequacy decision not be provided. This may lead to a rush for model clauses as we approach the March date. However, for now it is best to maintain a watching brief as we have heard elsewhere that a separate deal on data protection may be done. We know the ICO is keen to maintain a seat on the European Data Protection Board (EDPB) which replaces the Article 29 Working Party.

So what does this all mean?

Well, data protection and cyber security is headline news yet again. Coming only a few days after the BA breach and news of a group action on behalf of affected passengers, this will be worrying reading to boards and managers around the country. We would recommend:

(a) checking security steps, ensuring your board/managers are briefed on the 5 steps as set out by the National Cyber Security Centre - https://www.ncsc.gov.uk/guidance/board-toolkit-five-questions-your-boards-agenda. Avoid single points of failure or human error.
(b) Be clear on how and why you collect data, what your legal justification for this is, and how you are clear with individuals as to how their personal data is being used and shared; and
(c) Be ready for the implications of Brexit - knowing where personal data is coming from and going to should be clear already in your data inventories/records of processing, but ensuring you know where the contracts are and how they can be updated could be important - let's hope there is a Brexit deal or data protection deal at the least.

Do let your usual Shoosmiths contact know if you have any queries, or get in touch with one of the data protection team - JP Buckley, Ana Fowle, Sherif Malak and Sarah Tedstone, supported by our team members in our offices around the country.