A summary on the first year of GDPR!
Saturday 25th May 2019 marked the first anniversary since the European Union’s General Data Protection Regulation (GDPR) came into effect. Now that a year has passed, we look at the key developments and decisions that have taken place.
What have we learned since 25th May 2018?
GDPR compliance requires and will continue to demand, ongoing attention, which brings its own set of challenges; the biggest of which is ensuring adequate resources are available within organisations to fulfil the requirements set out within the GDPR. Internal resources often lacking include having sufficient personnel and finances to meet the additional demands placed on businesses irrespective of the size of the organisation.
The change in the regulatory landscape has, however, shown the importance of getting privacy right and highlighted within the public forum many organisations shortcomings.
Brexit
Brexit will no doubt have a role to play in future developments surrounding data protection and the GDPR. It is also highly likely that there will be further legislation in the data protection arena including the E-Privacy Regulation.
The Data Protection Act is designed to ensure that the UK will be able to exchange personal data with the EU post-Brexit. When the UK leaves the EU, it will become a 3rd party country for the purpose of personal data transfer, and as such it will need to show an adequate level of data protection so that transfers of data between the EU and the UK can continue.
However, this all remains to be seen if, and when, the UK exits the EU and on what basis.
GDPR breaches
During the first few months after the GDPR came into operation, the Information Commissioner’s Office (ICO) commenced with exploratory investigations, mainly offering recommendations and guidance for companies in breach. In effect, the ICO allowed a degree of leeway and the opportunity for organisations to quickly bring their operations up to speed.
However, this phase is now largely over and the ICO is increasing the level of enforcement and contraventions are being sanctioned. There have been several ICO penalties issued for breaches of GDPR. Some of the higher profile examples are shown below;
- HMRC was recently issued with an enforcement notice for failing to get adequate consent to collect callers’ personal data.
- Uber was fined £385,000 for inadequate security arrangements that led to cyber attackers being able to download a large amount of personal data about drivers and customers.
- Facebook Ireland Ltd was fined £500,000 for a serious breach of data protection law where the company collected personal data about the Facebook friends of users, without those friends consenting or being informed.
- Gloucestershire Police was fined £80,000 for revealing identities of abuse victims in bulk email.
- Hall and Hanley Ltd, a PPI claims management company was fined £120,000 for sending 3,560,211 unlawful spam texts about its services.
The substantial fines awarded by the ICO can have a significant impact on the reputation of organisations should they be found to be non-compliant, as we have seen with recent cases against the likes of Facebook, Uber and Google. In addition to the substantial fines that can be enforced by the ICO, organisations must also be aware of the risk of a temporary or indefinite suspension of processing.
What’s next
Moving forward, it will be critical for businesses to keep up to date with regulatory guidance and enforcement decisions to know when internal processes may need updating.
The ICO states on its website that ‘The focus for the second year of the GDPR must be beyond baseline compliance – organisations need to shift their focus to accountability with a real evidenced understanding of the risks to individuals in the way they process data and how those risks should be mitigated. Well-supported and resourced DPOs are central to effective accountability.’
The penalties for non-compliance and the potential reputational risk are severe and companies cannot afford to let privacy programmes lapse.
How can CH Digital help businesses achieve and maintain GDPR compliance?
The document scanning and document management services that CH Digital offer along with our Live-Docs solution can help you achieve and maintain GDPR compliance, particularly where there is legacy data such as large volumes of archive documents or customer files, effectively creating ‘structure’ out of ‘unstructured’ paper documents!
Our Live-Docs solution is set up to comply with the following requirements of the GDPR: –
- Right to Rectification – Live-Docs allows for the completion and amendment of personal data, where such data is incorrectly stated
- Right to erasure – Known as ‘the right to be forgotten’ Live-Docs enables the permanent deletion of personal data
- Right to data portability – Live-Docs allows the data to be transferred in a structured, commonly used and machine-readable format.
- Subject Access Requests (SAR) – With legacy data converted into digital formats, SAR can be satisfied well within the 30-day timescale imposed by GDPR, this will be particularly helpful, given that the £10 charge (which the previous 1998 DPA allowed to help fund SAR) has now been removed!
If you would like to discuss this topic further and find out how CH Digital can help your business, then please contact Louise Horton or Ian Hay on 01827 726934.