This article was written by Mark Gracey from the Digital Compliance Hub a GDPR and data privacy support service based in Dorset.
Do you remember the first half of 2018? Everyone was GDPR crazy. Re-seeking consent emails were coming from everywhere (a lot of them unnecessarily and destroying email list subscriptions) and everyone was rushing to be GDPR compliant by GDPR-D-Day, 25th May 2018, some perhaps becoming aware of what they could and couldn’t do with data for the first time, despite the GDPR being an update to a 20 year old law in the UK (the Data Protection Act 1998).
Just over 12 months on and no one is really talking about it as a business challenge, and the most you’ll get from anyone on the mention of the data protection regulation is perhaps a moan as someone recalls the 6 month (or more) project they had to endure to get it right in the lead up to the deadline. It’s as though everyone thinks GDPR was a Y2K problem (if you’re old enough to remember 1999 and the doom predicted as computers failed to cope with the change from 1999 to 2000, with major IT failures predicted).
But it couldn’t be further from the truth. The General Data Protection Regulation (GDPR) was not a one-off compliance box-ticking exercise. Just as the Data Protection Act 1998 before it, the GDPR is here to stay for years to come until the next data protection law, and is in force, 25th May 2018, 25th May 2019, today, tomorrow, next month, next year, until a new law comes in to replace it – it’s relatively IT neutral so it’s unlikely it will need updating to keep track of new technologies and after all the GDPR is about personal data, data that identifies an individual and applies regardless of how that data is processed.
In fact, the GDPR itself sets out the ongoing compliance requirements. Article 24 sets out that those processing data must not only be able to have put measures in place to ensure GDPR compliance but also that “those measures shall be reviewed and updated where necessary“. That means we all have a duty to ensure we are always data protection compliant.
Part of the reason it’s not on business’s radar at the moment, is probably the lack of enforcement. In the first year of GDPR there were only 7 recorded GDPR enforcement actions across the whole of the EU, with the UK’s only one action being a demand to delete data rather than a formal enforcement action back in October 2018. But this is set to change, just look at the facts:
Whilst it remains to be seen whether the BA and Marriott Hotels fines will actually be as big as the intentions to fine, it’s an indication the ICO (Information Commissioner’s Office – the GDPR enforcer in the UK) are getting to the GDPR side of their complaints backlog and they’re willing to flex their new found GDPR muscles when it comes to enforcement. By the way, that 41,000+ complaints were almost double what it received the year before (in a pre-GDPR world).
We shouldn’t focus on the BA and Marriott fines too much, as these are just headline grabbing numbers which the press like to report about big name businesses and the challenge for most businesses is always to understand the implications of these ICO actions on their own business. And it’s important that you do reflect on what ICO enforcement could mean for your business, because often buried within the actual enforcement notices (which the ICO publish) is a goldmine of what compliance should look like or means in practice. For example:
But looking further afield, did you know:
So, you see, these are just a few examples of how data protection compliance evolves over time. We’re in the early years of GDPR compliance and as the ICO (and the other EU regulators) start enforcing under GDPR we will start building a picture of what best practice should look like, and if you’re not paying attention to how the GDPR is interpreted across the EU as well as the UK, how can you be sure you are still compliant and how can you demonstrate to the ICO, should they ask, you are still compliant?
So, what should you be doing? Here’s some questions you should be asking yourself:
If you’ve not thought anymore about GDPR compliance within your business since May 2018, maybe it’s time to revisit GDPR, get up to date and make sure you stay compliant today and into the future.
Mark’s 20+ years experience of working as a regulatory manager in the internet and telecoms sector, focusing on data protection, data retention, content liability and policy put him a unique position to offer practical data protection, GDPR and privacy compliance advice and support.
No spam, just helpful business IT information, industry news, and tips and tricks.