It is now just over a year since the General Data Protection Regulation (GDPR) was born.
Whilst the birth of the GDPR was a difficult one for many organisations, what we now have is the equivalent of a healthy young child who has started to walk and talk but still needs to get over some initial teething problems.
The purpose of the GDPR was to provide a set of standardised data protection laws across the EU to enhance the rights of individual data subjects and ensure transparency regarding the use of personal data. Organisations now need to be clear about the personal data they hold, for what purposes it may be used and with whom it may be shared.
The GDPR can be considered as a global privacy standard. As a result of the GDPR, the privacy and protection of data subjects is being re-evaluated on a global scale, with other countries around the world seeking to revise their laws so that they are aligned with the GDPR, particularly those seeking to do business with Europe. At a corporate level, an increased focus on data protection has led to companies such as Facebook making changes to its privacy and data handling policies, as well as introducing special protection for teenagers. And from a regulatory perspective, data protection authorities across the EU have seen a marked increase in reports of personal data breaches in the wake of the GDPR’s implementation.
There have however been teething problems. Organisations have undoubtedly faced challenges in understanding the full impact of the GDPR and what changes are necessary to operational policies and procedures to achieve full compliance. For example, the issue of when and to what extent consent to processing is required under the GDPR remains a difficult one, particularly in relation to consent for marketing purposes under the e-privacy regulations, and implementing measures to obtain and record consents given by data subjects.
The data protection authorities throughout the EU have had to spend time in consultation with each other, ensuring that their guidance on practical aspects of the GDPR reflects a consistent interpretation of its requirements. They have also had to increase staffing levels in order to provide this guidance and to deal with an increasing volume of data protection complaints and personal data breach notifications.
Resourcing, both financially and in relation to personnel, is also a key issue for organisations because data protection compliance requires ongoing attention, not least to deal with the need to respond to data subject access requests and to ensure that commercial contracts with others in the supply chain are GDPR compliant.
Many organisations still have some way to go in understanding how to achieve full GDPR compliance, getting to grips with the policies and procedures required and putting in place measures to support the requirements of the GDPR, for example in responding to any personal data breach within 72 hours. There is also a need to keep up-to-date with enforcement decisions and guidance issued by the data protection authorities and others such as the European Data Protection Board.
Further guidance continues to be worked on by the data protection authorities, with the Information Commissioner’s Office in the UK currently working on guidance as to the use and transfer of personal data after the UK leaves the EU (at which point the UK will be regarded by the EU as a ‘third country’ for data protection purposes).
Enforcement of the GDPR and dealing with non-compliance issues has perhaps not been a major priority to date for the ICO or any of the other data protection authorities, but the ICO has said that it will act swiftly and effectively against those organisations who do not take their GDPR compliance responsibilities seriously. According to a report published in late February by the European Data Protection Board during the first nine months that the GDPR was in effect, the total penalties imposed amounted to €55,955,871, of which the fine of €50 million imposed on Google for breach of the GDPR in France forms the most substantial part. More fines are likely as current investigations for GDPR non-compliance are completed.
Reflecting on the above, the GDPR has achieved a lot in a relatively short period of time. It has helped to focus organisations and individuals on what constitutes personal data and how that personal data is protected. The GDPR has had global impact, but still needs to develop in terms of enforcement and guidance, particularly in relation to how it applies to new technologies, such as artificial intelligence. Organisations must continue to achieve compliance and ensure that their existing policies and procedures are up to date. They need to understand how to respond to data subjects’ requests, how to deal with personal data breaches, and why it is important to maintain a record of decisions made regarding the processing of personal data.
With the challenges that lie ahead, we expect to see the GDPR put on something of a growth spurt. Its years as a precocious teenager may be some way ahead, but for now it is more than finding its feet and will certainly scream pretty loudly if it needs anything!
The article was first published in Business Weekly.