25 May 2018 marked a watershed in privacy and information rights with the implementation of the General Data Protection Regulation (GDPR) and the Data Protection Act 2018.
Getting privacy right is more than ever a top priority for businesses who will need to continually change to meet the demands of the new laws.
Many people are aware of the new rights the GDPR brings, with increased protection for the public and increased obligations on businesses.
People increasingly want to know how their data is being used, and how it is being safely managed.
Year one of the GDPR has seen people realise the value and potential of their personal data. There is a greater awareness of the law, in particular the data rights of individuals, and a greater awareness of the role of the regulator where rights aren’t being respected.
In year two of the GDPR businesses will need to shift up a gear from their initial focus on baseline compliance to full knowledge and accountability of the risks to individuals in the way they process data and how those risks should be mitigated. Those with primary responsibility for this must be well supported and resourced from the top down with a culture that everyone has some responsibility for data protection.
The push to be ready for the GDPR prompted organisations to make significant changes in quick time. There is still a long way to go to truly embed the GDPR and to fully understand the impact of the new legislation. In an Information Commissioners Office (“ICO”) survey nearly 50% of respondents faced unexpected consequences as a result of the GDPR.
The ICO have said they will continue to focus on the areas identified as their regulatory priorities. These include: cyber security; AI, big data and machine learning; web and cross-device tracking for marketing purposes; children’s privacy; use of surveillance and facial recognition technology; data broking; the use of personal information in political campaigns; and freedom of information compliance.
So, what do businesses need to focus on? Perhaps it should be the adoption of a mind-set that the personal data they control or process is not theirs and it belongs to the data subjects. They must treat the data as something they are taking care of and are responsible for and not something that they own. The data needs to be secure at all times with the right protection in place to ensure only those who should use it or see it can do so.
Some practical matters to look at following initial compliance programmes may include:
1. Policies and procedures
Do your current policies and procedures need amending to ensure an on-going culture of data protection responsibility? These then need to be disseminated to the business, implemented, monitored and enforced.
2. Customer / supplier relationships
Do your contracts with your customers and your suppliers comply with the requirements of the GDPR? These may then need to be amended and brought into effect.
3. Privacy Impact Assessments
Do you understand the circumstances in which you are required to undertake Privacy Impact Assessments and are you set up to carry them out?
4. GDPR training
Do you have a programme for ongoing and periodic staff training? The IOC will want to know about what training has been undertaken if anything does go wrong.
5. Security breaches
Do your staff know what to do if there is a data security breach or if a Data Protection Authority commences any investigation or action?
Data Protection is now an integral part of a business’s operations and compliance should be viewed as a strategic advantage and not a problem that continually has to be managed. For guidance and support contact a member of the FG Solicitors team.