17 August 2017 / by Regulatory/ in
More Protection and Bigger Fines: UK data protection laws to be overhauled
Companies are set to face harsher penalties where customer information is exposed in data breaches in a bid to give consumers the confidence that their data is protected and that those who misuse it will be held to account.
Last week the British government announced plans to strengthen UK data protection law with a new Data Protection Bill which will give the Information Commissioner’s Office (“ ICO”) the power to fine companies up to £17 million, or 4% of global turnover (a significant increase from their current maximum fine of £500,000) in the “most serious data breaches.”
The new bill is set to provide “one of the most robust, yet dynamic, set of data laws in the world”. It will aim to give people greater control over their data by implementing stricter requirements on companies to obtain consent for its use. It is envisaged that the new bill will also make it easier for people to withdraw consent for the use of their personal data and expand the definition of “personal data” to include data such as DNA, internet cookies and IP addresses, increasing the red tape for companies.
Although this will result in an increased burden for companies in relation to consumers and an increased risk of penalties, the clarity provided by recent Court of Appeal decisions on subject access requests (SARs) has been welcomed by companies at a time when the current burden on employers as a result of time consuming and expensive SARs made by aggrieved employees or ex-employees has been intensified by uncertainty over the precise scope of their obligations.
The recent judgments of Deer v University of Oxford, heard together with Ittihadieh v 5-11 Cheyne Gardens RTM Co Ltd, and Dawson-Damer v Taylor Wessing LLP provide useful guidance for employers facing SARs such as whether they should comply and how to comply, setting out in detail the extent to which employers must go in searching for data. The rulings also eradicate the possibility of refusing to comply with a SAR simply because its purpose is to aid litigation.
The recent judgments set out a number of factors that could justify a refusal to provide certain documents, including where there is a more appropriate route to obtain the information such as disclosure in legal proceedings. However, under the General Data Protection Regulation there will be a tougher penalty regime for non-compliance, which will come into force in May 2018, making it even more important to get the response to SARs right.
Contrary to the view taken by the ICO Guidance, the judgment confirms that employers are only required to carry out a reasonable and proportionate search for personal data. However, a proportionate search may still be fairly extensive, particularly for large companies and therefore may not provide an easy solution.
Most data subjects alleging a failure to comply with a SAR will complain to the ICO rather than take legal action and employers will continue to face uncertainty until the new legislation comes into force and the ICO’s response becomes clear.