It’s been now 18 months since the GDPR was implemented continent-wide. So how has the regulation been implemented? Has it been consistently applied? Has it been proven to be effective?
The implementation of the GDPR in May 2018 sparked panic throughout organisations across Europe, prompting many of them to go speedily to lawyers, consultancies and IT firms alike, to ensure they were compliant before the deadline. But how has the GDPR been enforced and complied with?
Fairly recently, the UK’s Data Protection Authority, the Information Commissioner’s Office (ICO), has been flexing its muscles regarding organisations that have apparently fallen foul of their responsibilities to protect people’s personal information. Notices of ‘intention to fine’ were served on both British Airways and Marriott for cyber incidents, although they have often wrongly reported as actual fines whereas, as yet, they are intentions to fine. And we have yet to see what the final outcome will be.
Plenty of organisations still have work to do to achieve a level of compliance in line with the regulation. It is still common to see websites without any adequate, visible or available Privacy or Cookie policies. And with no transparency about how one would go about exercising individual rights.
While it is hard to specify the level at which one would deem a company ‘GDPR compliant’, organisations can use the regulation and the guidance issued by the regulator to do as much as they can to ensure the safety of people’s personal data. And having comprehensive privacy information available to individuals is not just a first step towards compliance but is also key to adherence to the first principle of the Regulation, namely that personal data should be processed fairly, lawfully and transparently.
Many organisations also need to address their retention of individuals’ details. Under GDPR, personal data, personal data should be deleted when no longer needed for the purpose for which it was obtained. As ambiguous as this can seem, not least because the timescales are generally unlikely to be prescribed, organisations need to detail and identify their retention periods. This would provide for personal to be can deleted accordingly and not stored, in contravention of the Regulation. Reasons for the retention periods will invariably depend on business or legal circumstances.
Staff training is vital for GDPR compliance. Most data breaches are the result of staff negligence arising from them not knowing or failing to understand or appreciate their responsibilities. Whilst from a staff perspective, adherence to the Regulations can be perceived as tedious and dull, organisations could try and make it as bespoke and as interactive as possible. This writer is sure that having to sit in front of a computer screen, scouring countless bland pages of policies is an invitation to apathy.
Further, maintaining a culture of data privacy within a company is vital for the continued compliance of an organisation with the Regulation.
Do I need at Data Protection Officer? Who’s going to manage Data Breaches? How will we respond to Subject Access Requests? Who will manage any Data Processors used and maintain the contracts? These, among many others, are questions that may seem obvious. But it is worth noting that many organisations merely “park” them, and, ostrich-like, fail to address them. This creates uncertainty and apprehension in staff members, as well as inconsistency within organisations. And we know that inconsistency – when it comes to personal data processing – often leads to data breaches.
Now, as for the “B” word. Brexit. At the time of writing, a ‘No-Deal’ exit looks increasingly likely. GDPR was, as a keen-eyed observer would be aware, part of Mrs May’s Withdrawal Bill. But, as we know, this was overwhelmingly rejected several times by the House of Commons. While the UK has actually implemented GDPR through the Data Protection Act 2018, there is still uncertainty as to what the transfer of personal data across Europe would look like in a post Brexit world. Particularly in one where there is ‘No Deal’.
Organisations will need to work with their counterparts abroad to understand whether alternative legal arrangements may be required in a ‘No-Deal’ scenario, where the other company is in an ‘adequate’ country which has not yet publicly indicated that personal data flows to the UK will be restricted. In the event of a ‘No-Deal’ scenario, the UK will, by default, become a “third country” (a country other than the EU member states and the three additional EEA countries that have adopted a national law implementing the GDPR). This means that the UK government will need to secure a full adequacy decision to allow the free flow of personal data between the EEA and the UK. The GDPR restricts the transfer of personal data to countries outside the EEA. If personal data is transferred to ‘third countries’ then the transfer must be protected by appropriate safeguards – an adequacy decision for that country being one of those safeguards (such as the adequacy decision recently made by the European Commission with regards to Japan, allowing the free flow of personal data between the two jurisdictions).
By March 2019, over 200,000 cases of data having been breached had been reported across Europe. And, sadly, there is no sign of this slowing down. But on a positive note, across the continent, we can see the enforcement of the GDPR begin to take shape. For example, the Swedish Data Protection Authority (DPA) fined a municipality approximately 18,000 pounds for excessive use of facial recognition technology in monitoring the attendance of students at school. The Swedish Authority deemed the school to have been in contravention of several articles of the GDPR, including processing sensitive student data, failing to conduct an adequate impact assessment, and failing to consult with the DPA before deploying such a system In the first place
However, breaching the Regulation involves more than just the monetary nature of fines or other sanctions. In these days when an immense amount of data is transferred electronically, “trust” in an organisation receiving it is paramount. And so, any company deemed to be in breach of Regulations, is likely to incur significant reputational damage. Consequently, the large companies mentioned above have suffered reputational loss as well as the threat of considerable monetary sanction. Some legal firms and claims management companies are already ambulance chasing for affected peoples to take legal action if their data has been compromised. This is because, under GDPR, any person who has suffered material or non-material damage as a result of an infringement of the GDPR has the right to receive compensation from the data controller or processor for the damage suffered.
Interestingly, organisations are now doing market research on whether their service users ‘trust’ them in their handling personal data, as this writer found out whilst leaving a customer review last week. This is presumably to demonstrate their accountability. But just because customer survey results indicate that an organisation is ‘transparent and fair’ in the use of personal data, it doesn’t mean they actually are. And the organisation still needs policies, procedures and due diligence to be a responsible and accountable organisation.
So does the GDPR work? Well, last year it definitely scared the life out of some organisations who rushed to get compliant. But, until the BA and Marriott fine notices hit the headlines, there was a lot of complacency with regards to GDPR compliance. This reader, for example, heard many a time statements such as “but the ICO, they’re not going to be looking at companies like ours are they?, They’re going to go after the big boys” and “There’s no way that they are going to be able to enforce this”. The authors may be right. But, then again, the runes suggest otherwise.
A survey conducted in July 2019 revealed that almost a third of European businesses are still not compliant with the GDPR. Despite this, there are encouraging signs of increased maturity in data protection, with the new rules driving better, business-supporting practices.
It is important also for companies to remember that Compliance is an ongoing process, not a one-off exercise. We live in a digital age where technology is advancing at an incredible rate. None of us would want our personal data compromised. And organisations should be constantly considering all risks around data protection and mitigating accordingly. Especially when services are changed or introduced, staff turnover is high or where new suppliers are engaged.
As public awareness of data protection is increased by ever more publicised incidents and in a digital age where personal data processing is paramount to providing services, organisations need to wise up to what they need to have in place to meet the privacy needs of individuals. Imagine it was your information. How would you like it to be treated?
Data Protection Officer – ClearComm