Included in this issue: Study finds that 75,000 data protection officers will be needed in order to tackle GDPR; ICO fines Assist Law £30,000 for unsolicited marketing calls; ICO issues warning to London Borough council. Read more...
Study finds that 75,000 data protection officers will be needed in order to tackle GDPR
The International Association of Privacy Professionals (IAPP) has revised its estimate as to how many new data protection officers (DPOs) will be needed to implement the General Data Protection Regulation (GDPR), which is set to come into force in the UK in May 2018.
The IAPP initially estimated in a previous study that 28,000 DPOs would be required across the EU and the USA. The new estimation of 75,000 DPOs differs somewhat as it take into account the amount needed worldwide. In terms of the number required in the EU, the study estimates this at 11,790.
Under GDPR public authorities and companies who are heavily involved in the collection of personal data or that handle sensitive data will be required to appoint a DPO at their own expense. The primary role of these DPOs will be to inform, advise and monitor compliance with GDPR. Interestingly the study highlights the following areas to be the most affected: transport and logistics, hospitality, professional services, science and pharmaceuticals.
In a separate study undertaken by the IAPP in partnership with TRUSTe it's been found that 90% of companies have begun planning for the GDPR, with 43% having a plan in place already.
J. Trevor Hughes, the president and chief executive of IAPP, commented: “Clearly, IAPP members are taking the GDPR’s DPO requirement seriously, with many of them well on their way toward creating a GDPR compliance programme. The IAPP’s training and in-depth educational materials, alongside tools developed by technology providers like TRUSTe, will be vital for helping organizations be ready for the GDPR in May of 2018.”
ICO fines Assist Law £30,000 for unsolicited marketing calls
The Information Commissioner's Office (ICO) has fined Assist Law, a law firm turned will-writing company £30,000 for cold-calling Telephone Preference Service (TPS) registered households for more than a year.
Initially the ICO sought to provide Assist Law with guidance, but on investigation it was found that despite having receiving a warning from the ICO in May 2015, the company did not amend its marketing policy. In total, 99 complaints were received by the ICO between 29 April 2015 and 15 April 2016, 84 of which were made to the TPS.
Assist Law, in its defence, contended that the list of telephone numbers had been provided by a third party provider. It later transpired that this provider had sourced the information from various organisations, using consent provisions such as: "Please tick the box to receive information on selected products and services by ourselves and trusted third parties via telephone, SMS, post and email."
The ICO found Assist Law to be in breach of regulation 21 of the PECR and decided to issue the £30,000 fine. The only mitigating factor taken into account by the ICO when deciding on the size of the penalty was the potential damage that the fine could have on Assist Law's future business. The ICO's enforcement manager, Andy Curry, stated: "Despite repeated warnings, [Assist Law] failed to take the basic steps required by law. They should have asked for evidence of consent and screened against the TPS list to check whether people had chosen not to receive marketing calls."
Companies are reminded to review their data protection compliance especially if they are data heavy or undertake marketing activities. The amount of fines and enforcement action taken by the ICO has doubled in the last year and they are expected to keep rising. Any investigation, even those where no action has been taken will be kept on file at the ICO. As seen in the case of Assist Law, those who are caught repeating the same behaviours will be dealt with a level of fine appropriate to the size of the organisation.
ICO issues warning to London Borough council
The London Borough of Ealing has been warned to put in improvements in place in order to better protect personal information following the loss of sensitive court documents. The ICO has drafted a list measures, in the form of an undertaking, for the council to follow so that it may to improve its practises following the incident. The sensitive personal data, which relates to 27 people and 14 children, was lost when a council social worker left the documents on the roof of her car and drove away in February 2016.
The council had been previously investigated by the ICO following an audit in 2013, where it found that there was a "lack of mandated, periodic data protection related refresher training".
The ICO's enforcement manager, dealing with this case, Sally-Anne Poole, said: "This council failed to follow our previous advice that it needed to improve training to make sure staff know how to look after personal information. Many of us have no choice but to take work out of the office. But when that work includes personal data, there is an obligation to ensure it is kept safe. People have a right to expect that will happen."
She went on to address the fact that more than 27% of the council's social workers in the children's service team were locums, stating as follows: “It’s vital that if councils are using temporary staff they make sure they, as well as permanent staff, are up to speed with how to look after people’s personal information.”
This case shows that even when an organisation has all of the necessary IT systems in place to ensure that data is kept securely, human error will always have a part to play. It also suggests that the ICO will hold temporary staff to the same standard at full-time employees. Although a warning has been issued in this case, to illustrate the level of past fines available, the ICO levied a fine of £70,000 on Islington Council for a breach concerning the data of 200 residents.