Written by our MD and lead consultant, Matthew Lamb.
So here we are one year on from the GDPR and Data Protection Act 2018 coming into law and many people will say that is was a big fuss over nothing because not much has changed; a bit like Y2K (for those of you who were too young or don’t remember, there were fears that the world would grind to a halt because computers wouldn’t be able to cope with the change from 1999 to 2000).
People may ask why there haven’t been masses and massive fines for transgressions; in fact over €50 million has been levied in the past year. There have also been some landmark rulings across the EU, including the ICO ticking off HMRC for not gaining consent for its voice identification system. However it should be remembered that fines aren’t the only course of action open to the ICO; indeed they are often reserved for the worst offences. Often the ICO will warn companies, or restrict their processing activities until the problem has been fixed. These aren’t as newsworthy so don’t receive the media coverage that perhaps they should; after all any sanction indicates bad practice.
What we have seen, though, is thousands of breach notifications submitted to the ICO, and one assumes to all the national supervisory authorities. In the 6 months post May 2018, the number of breaches reported in the UK to the ICO has exceeded 8,000, albeit in the first month 1,700 were reported. All these breach notifications take time to investigate and the ICO has been tied up with legacy investigations; Cambridge Analytica being a prime example, and they have limited resources combined with a growing backlog. Add to this the fact that consumers are also more aware of their rights, including the right to complain to the ICO, thereby increasing the number of cases that need investigation. Therefore it is likely that we will see many more fines and sanctions coming to the fore in the coming months.
Many companies have been working hard to make sure that they are compliant. However, in view of the seeming lack of fines and sanctions from the regulators, many will see GDPR compliance as a box ticking exercise. My view is that once the supervisory authorities get their teeth into the newer cases, i.e. those under the GDPR, then they will be looking at how organisations have abided by the principles of data protection as well as the letter of the law. Probably the most important of these would be Accountability,Transparency and Demonstrability. In other words can you prove that you tell people exactly what you are going to do with their data, can you assure your customers and employees that your business partners are also GDPR compliant and will keep the data secure, and finally do you have the necessary paperwork to prove it?
Some areas that those who think GDPR compliance was a tick box exercise for 2018 and will now get caught out would be as follows (this is not a full list by any stretch of the imagination!!):
- Data protection impact assessments for all high risk and new processes.
- Legitimate Interest Assessments for all processes that cite legitimate interests as the lawful basis (this includes legacy processes).
- Training records to show that all employees receive annual training.
- Up to data records of processing activities.
- Policies and procedures that are reviewed annually to ensure they are fit for purpose.
- Due diligence on data processors.
- Written contracts for all data processors with data protection and confidentiality clauses.
- Privacy notices that accurately reflect ALL of the processing activities.
- Data retention schedules are defined and adhered to.
So if you are truly accountable for where the data comes from, that it is lawfully and transparently collected and processed, that your staff are fully trained on data protection and your policies and procedures, that your processors are compliant and are working under the instruction of written contracts, that you have a clear map of your data flows, and finally that you are not keeping data for longer than is necessary, then you have nothing to worry about. If not then either hope that you are not caught out, or get in the experts.
Contact The Data Guardians today on firstname.lastname@example.org.