GDPR one year on – will your organisation pass its GDPR MOT?
It’s just over a year now since the implementation of GDPR. This time last year you couldn’t move for GDPR information, advice, guidance and help. However, in all the rush to get ready for GDPR in 2018 very little attention was paid to the need to monitor processing for continuous improvement. One year after GDPR, less than 60% of organisations believe that they are compliant. Data breaches are common, some involving huge brand names, and consumers are more concerned than ever about the security of their data. GDPR is very much a live issue still.
With the first anniversary of GDPR passed, it’s time for many organisations to conduct their annual review, and increasing concern about how these reviews can take place without disruption to business as usual. GDPR compliance is not a static thing. You don’t achieve compliance and then sit back, job done. It’s a continuous and evolving thing. Your data environment changes all the time, so you need to be mindful of that to ensure that your GDPR compliance keeps pace.
The ICO has always made it clear that it views GDPR compliance as a journey rather than as a destination. Even if you were completely compliant on day one of GDPR, you can’t assume that you will still be compliant on day 365. GDPR compliance is not a box ticking exercise.
Article 24(1) of GDPR spells this out, stating that organisations are required to ‘implement technical and organisational measures to ensure, and demonstrate, compliance with GDPR’ as well as making it clear that organisations have an obligation to ‘review and update the measures as necessary’.
A year ago when GDPR was first introduced, the ICO stated that it did not necessarily expect everyone to be compliant from day one, and would be sympathetic to organisations who could demonstrate that they were taking compliance seriously and could actively show that they were working towards compliance. However, a year down the line it’s likely that the ICO is going to take a firmer line. The ICO receives more than 500 calls a week alerting it to issues of data security and privacy and has issued several six figure fines over the last year, some to very high profile organisations.
- Pregnancy Club Bounty UK was fined more than £400,000 for illegally sharing the personal data of more than 14 million individuals.
- TalkTalk was fined the same amount for failing to take appropriate security measures to protect the personal data of its customers including their bank details which was then accessed in a cyber-attack.
- Carphone Warehouse was also fined for a similar breach through which cyber criminals obtained access to customers’ credit card data and other personal information.
- Uber was fined £385,000 after it paid off the hackers that stole personal details of almost 3 million of its customers without informing the customers that their data had been breached.
Data privacy is becoming a hot topic at the highest level of government and this situation is only going to intensify. Organisations need to be able to demonstrate their commitment to privacy by adopting a data protection by design and default approach. By definition, this approach requires ongoing attention – as your data needs change so do your data protection requirements.
At the very minimum, organisations are required to conduct an annual review to ensure that they remain compliant. It might be tempting to see this as a pure cost, as a box ticking exercise that has to be got through. However, we firmly believe an annual review is an opportunity not only to determine current levels of compliance but also to identify a real and pragmatic roadmap of improvements that aren’t just about the obligation to comply but also identify commercial opportunities that could be delivered from that same roadmap.