General Data Protection Regulation 2018 breaches are frequently making headline news. One case came to my attention via a complaints forum which shines a spotlight on clear breaches and lack of regard to the Data Protection laws.
The data that these firms are using belongs to you under the General Data Protection Regulation Act 2018. You will have probably heard of the GDPR Act, although most people don’t fully understand the implications and impact it has on everyone’s lives.
The Data Protection Act 1998 (2002 in the Isle of Man) was recently updated and replaced with a harmonised version in May 2018, although the principles remain the same with a new accountability requirement.
The reason for this is because of technological and digital advances that were not relevant or covered in the old legislation, and to harmonise and empower EU citizens with more powers over the use of their personal data. This legislation will remain in place after the UK has left the EU, so it’s here to stay.
The most significant addition is the accountability principle. GDPR requires organisations to evidence how they have complied with the principles – for example by documenting the decisions taken about a processing activity.
The penalties for non-compliance can range up to €20m or 4% of annual global turnover, whichever is higher, and the Information Commissioner’s Office (‘ICO’) take a variety of factors in to account including the gravity of the offence, damage to the individual, if the infringement has been disclosed to the ICO and other aspects.
It is worth knowing that it is mandatory for any organisation to report any infringements of the GDPR Act 2018 to the ICO, and non-compliance and not reporting the infringement will be taken more seriously with the penalties incurred to reflect that.
In this scenario, the data held by the car dealership contained claims such as,
- “The seat is now loose due to driver size and weight, it’s partially collapsed and has come loose at the base where the bolts attach. This isn’t covered by the mechanical warranty” and “I believe the customer is a serial complainer / scammer.”
The first lesson anyone ought to take on board when they are dealing with customer data (which belongs to the customer) under Article 5 is that it should be factual and relevant, knowing that the customer can access it at any time by submitting a Data Subject Access Request.
In this case, the customer has only received a couple of screenshots and this will just be the tip of the iceberg.
My advice was to reiterate that (you) want literally everything you are entitled to see in a clear and easy to read printed format from the date of receipt of the Data Subject Access Request (which should always be sent by recorded delivery for this very reason).
My next step would be to scrutinise what I have received. If I suspected that any data was being withheld, I would insist that an independent audit is made with all PCs drilled for any deleted e-mails so I can fully ascertain the position before proceeding with further action.
Further action in this instance includes defamatory and false statements being made. These can be supported by independent reports stating that the car seat clearly had inherent faults that were not disclosed at the point of sale. This would be a misrepresentation that falls under the Misrepresentation Act 1967.
What are your thoughts on this? Have you successfully dealt with a data protection breach?