The Information Commissioner’s Office (“ICO”) has recently published its annual report for the 2017-2018 period, outlining the work it has undertaken over the past year (1 April 2017-31 March 2018). The report includes some interesting facts and figures relevant to organisations, especially public sector organisations, handling personal data in the context of the GDPR.
First, the report demonstrates that members of the public in the UK are becoming increasingly aware of their data protection rights. The ICO claims to have received 24.1% more calls to the helpline and 31.5% more live chat requests compared to the previous year (2016-2017). Caseload for advice services dated 31 March 2018 stands at 3,526, compared to 115 the previous year, and the ICO’s “Guide to the GDPR” received 2.5 million views on their website. The vast majority of concerns lodged with the ICO were regarding subject access, accounting for 39% of the overall total, suggesting that organisations have to be ready to respond effectively to these requests.
The report also highlighted the fact that the GDPR cannot be viewed in isolation from other legal instruments. Specifically, in addition to data protection, the ICO also has responsibility for legislation including, but not limited to:
- Freedom of Information Act 2000
- Privacy and Electronic Communications Regulation 2003 (PECR)
- Re-use of Public Sector Information Regulations 2015
- Electronic Identification and Trust Services for Electronic Regulations 2016
- Network and Information Systems Regulations 2018 (NIS)
This demonstrates that freedom of information, public sector information, e-IDs and information security all need to be considered in concert with the protection of personal data.
In fact, according to the report (page 30) local and national public organisations ranked 3rd and 6th, respectively, and educational institutions ranked 7th, in public concern over data protection:
These sectors need to do substantial work to foster public trust in the way they handle personal data and other related matters.
So, what does this mean for organisations and the way they handle data privacy?
The ICO’s success in increasing public awareness may result in heightened scrutiny for organisations handling personal data. This scrutiny is likely to come from data subjects enquiring about the way their data is now handled.
Privacy Notices required by Articles 13/14 will often be the first port of call for an individual investigating their rights. By allocating sufficient resources to ensure these front-facing aspects are compliant, organisations can reduce their risk of falling afoul of the Regulation. Furthermore, the development of a proper suite of GDPR-compliant organisational processes – such as one for Data Subject Access Requests (DSARs) and one for Data Protection Impact Assessments (DPIAs) – should also be at the top of an organisation’s priority list.
Organisations should also investigate their obligations under PECR, the NIS Regulation and other instruments, many of which have been under-considered as the focus has been largely dominated by the GDPR.
While this report focused exclusively on the UK, the introduction of the GDPR has been a Europe-wide phenomenon and many of the lessons from the UK are likely to translate to other national contexts. All organisations need to be cognisant of their obligations under the GDPR and other related instruments and be ready to respond effectively to requests for information by Regulators or members of the public to increase public trust in data protection in the public and educational sectors.
For more information contact our team.