It has been 17 months since the implementation of GDPR and what impact has it had? With the first fines under GDPR only recently being levied, we ask;
· Do these fines go too far or not far enough, and will they really have any impact?
· Have the consequences been felt or was it blown out of proportion?
· What does this mean for day to day recruitment?
· What does the recent decision from the DPC mean for the future use of Public Service Cards?
In January 2019 CNIL (the French Data Protection Authority) fined Google LLC €50 million. In July 2019, the ICO in the UK announced a fine on British Airways of £183m for a cyber security breach in September 2018 whereby, personal and account information was harvested. This was followed by an announcement that Marriott International was to be fined £99m for a breach in November 2018 which exposed personal data of 339 million guests globally (30 million of whom reside within the EU).
These are significant fines, but many argue that these do not go far enough to tackle the underlying issue of corporate policies that breach individual’s data privacy rights. Many argue that, for example, £99m is only 1.5% of Marriott’s annual turnover even though 30 million EU guests were affected. Still, one must consider the reputational damage done to Marriott, BA and Google. Privacy conscious users may begin to question what else these companies are doing with personal data or whether these companies really have strong consistent policies that keep their customers/users protected.
Many companies have fallen into the trap of believing they are too small to be prosecuted. In reality, they are not too small, all companies are under the watchful eye of the public, and public opinion is key. It should be noted that the Google investigation was taken on the foot of a complaint by two not-for-profit organisations as opposed to an actual breach against an individual user.
So, while a recruitment firm may believe that an individual complaint is too minor to catch the attention of the prosecutors, this is not, in fact, the case. It just needs to catch the attention of the public. A simple negative social media post could escalate into something detrimental to a firm. Remember – GDPR has tiered fines, with lower severity breaches still attracting a fine of 2% of annual turnover so no simple complaint should be sniffed at. Ignoring a single individual could lead to massive consequences.
Although the Irish Data Protection Commission (the “DPC”) has yet to impose a fine under GDPR, it remains very proactive. In 2018, the DPC received 4,113 complaints and several investigations have been commenced. In August 2019, the DPC reviewed the issuing and use of Public Service Cards by the Department of Social Protection. State agencies were using these cards to make thousands of decisions every day that impacted individuals. Access to certain services, such as social welfare, was contingent on having this card. Campaigners against the card raised the idea that this would become a national identity card and eventually every citizen would require one to access basic services.
The DPC took these fears on board and conducted a rigorous review of the system including the original concept vs. what it transformed into, transparency, safeguards, retention, the control of the individual over the information etc. and while it has yet to publish a report into its findings the DPC has provided a summary. It found that there is a legal basis for the Department of Social Protection to process information for the purposes of issuing a PSC for the purposes of accessing social benefits. However, there was no such legal basis for the department to process information for the purposes of issuing a PSC for transactions between individuals and any other state body. What does this mean? It means that requiring a PSC for the purposes of collection of social entitlements such as welfare payments, free travel etc. is legal. However, there is no legal basis for any other state body to require a person to get a PSC. So, for example, the issuing of a passport cannot be contingent on the holding of such a card.
Conversely, the DPC has indicated that the indefinite retention period of the Department is not valid. The DPC has made several recommendations and provided the department with 6 weeks to comply.
So, what can firms do to prevent coming to the attention of the DPC? Well, prevention is better than cure. Firstly, data privacy policies should be in place and staff need to be adequately trained to recognise a potential privacy issue and deal with it correctly. These policies need to be embedded within the culture of the firm encouraging employees to constantly question why they are getting information, consider what it will be used for and whether the person would expect their information to be used in this manner. Employees should have adequate avenues in which to raise potential issues that arise in day to day running of a firm that management have not noticed and should be encouraged to do so. All individual complaints should be looked at, even if it is a disgruntled individual who you believe is making a nuisance request. Note also that BA’s fine arose as a result of a cyber security breach. Ensure that adequate protections are in place to prevent such breaches. Constantly review policies and procedures to ensure they are not dated.
Another point to note from the recent DPC findings is that when it was reviewing the PSC program an influencing factor in the finding is how far removed the program was from its original concept. The purpose was originally for the card to be a chip and pin type card allowing an individual to access social welfare payments. However, by the time it was implemented it had become a photo identification card to be used for accessing many other services. This needs to be borne in mind when concepting new programs. When developing an internal program and reviewing the data privacy concerns firms need to ensure that they re-look at the data privacy element prior to implementation to take account of the way a program has developed from initial concept to final implementation.
Finally, it should be noted that the breaches for which fines have been levied under GDPR occurred within 4-6 months of GDPR coming into force. This is because GDPR became effective immediately from May 2018. There was no grace period. If you have not implemented an effective data privacy program/procedure you need to do so.
So, while many still believe that GDPR is nothing more than a phenomenon that will pass with time it is looking like it is here to stay.
Prevention is better than cure. Knuckle down, put on your thinking cap and get your data privacy program in place!
We at CareerWise Recruitment have worked diligently with the implementation of General Data Protection Regulation and are very interested in speaking with candidates and clients alike ……. GDPR Matters, TRUST matters, your data matters.
Upload your CV to apply for as many jobs as you like.upload your CV