GDPR - Much Ado About Nothing?
GDPR has been effective for almost six months now and the Information Commissioner’s Office (“ICO”) has prosecuted or taken other enforcement action (and imposed monetary penalties, enforcement notices, or demanded undertakings) against 21 organisations so far.
Enforcement action is likely to follow a breach of data privacy laws. Organisations have an obligation to report data breaches (a loss of personal data which may indicate non-compliance with data laws) to the ICO and aggrieved individuals can make complaints to the ICO directly and completely bypass the organisation.
Unfortunately, the ICO’s website does not offer any guidance on this for organisations, but we have been informed that the following process is likely to be adopted when a direct complaint is made;
- The case officer considers whether there is any evidence to prove the alleged breach.
- If not, the complainant is asked to provide additional information or documentation.
- The case officer notifies the organisation of the alleged breach and seeks their initial response and any supporting documentation.
- The case officer considers all of the evidence and applies a “balance of probabilities” test to determine whether or not the breach has occurred. This is a relatively low threshold as the case officer only needs to consider whether it is more likely than not that the breach occurred.
- The case officer informs the organisation of their decision and if it is the imposition of a non-financial penalty the action that the organisation must take. (It gets more complicated if they want to impose a fine).
- The organisation has a right to appeal the decision.
There is a general, and sensible, view that co-operation with the ICO is likely to reduce the severity of any penalty imposed. This may explain the 500 or so calls to the ICO every week from organisations wishing to report themselves for a suspected breach.
That said, the ICO does not always get it right, so if you do not accept a case officer’s finding, it is important not to feel intimidated and to appeal their decision.
This is exactly what happened to one of our clients. An ex-employee had allegedly sent a data subject access request via recorded delivery to the client. The ex-employee complained to the ICO and stated that the organisation had failed to respond to his request that had been made a month earlier.
An ICO case officer contacted our client and informed them that they had failed to comply with their data protection obligations and were now required to take specific steps to improve their practices.
The case officer had failed to seek a response from our client or disclose the evidence that had been relied on. It was also clear that a standard template letter had been used as the sentence ‘’Use suggested paragraph folder to expand. Use links to website also’’ had not been deleted.”
With our assistance the client appealed this decision and asked to see a copy of the evidence which was subsequently provided. The evidence consisted of a Royal Mail tracking document obtained by the ex-employee which, in the case officer’s view, was sufficient to show that a letter had been sent to our client by recorded delivery.
In actual fact, this document only indicated that a letter, with unspecified contents, was accepted by the Post Office. It did not identify the name of the intended recipient, the address to which the letter was to be delivered, or whether, indeed, the letter had ever left the post office.
Our client contacted Royal Mail who said that there was no evidence on their system that the item had ever left the post office and in any event a signature from the recipient acknowledging receipt, must be obtained when an item is sent recorded delivery. They had no such signature.
The Post Office had provided the ex-employee with a tracking number which he had used to download the document. He should therefore have been fully aware that the letter had never reached its destination yet, it seems, he made no attempt to contact the Royal Mail or the organisation.
The case officer accepted this argument and overturned the decision.
If the client had accepted the decision, they would have had to provide all staff with mandatory training and carry out a review of all policies and procedures and the methods used to process data. This would have caused significant disruption to the organisation and would not have been inexpensive.
For any questions you have relating to GDPR and Employment Law you can contact Natalie Rawson 02380 717717 or email email@example.com.
This is for information purposes only and is no substitute for, and should not be interpreted as, legal advice. All content was correct at the time of publishing and we cannot be held responsible for any changes that may invalidate this article.