The GDPR – 4 months on
We have now all had time to consider the changes that have been made to our businesses since the GDPR came into force in May.
Many companies have reacted well to the compliance requirements, while others are still grappling with what it all means and whether they could in fact operate under their existing pre-GDPR policies. Most knew that changes were required to their privacy notices or statements so that they met the transparency principle as regards to letting data subjects what, how, why and for how long they hold personal data. Those who embraced the full compliance programme became aware that there are other documents that their business needed to demonstrate that they had done what was expected of them under the new regime.
The majority of businesses also came to understand that the GDPR doesn’t affect only the large, data heavy companies, but every business that takes even the bare essential personal data (names, addresses etc.) to complete transactions with their customers and suppliers. The Regulation affects the small family owned business and the corporate giants alike.
Boards have been put under pressure to commit resource to this surprisingly far-reaching legislation which has infiltrated almost all aspects of their business. IT, HR, Governance and Marketing teams have been drawn in to explain their data processing activities internally, while commercial teams have been caught up identifying their third party suppliers and those who have access to customer or employee personal data. In such cases, GDPR mandatory data processing contracts have been put in place to ensure cooperation, security and control of the data when it leaves your business. Whilst cumbersome, many companies will rest assured in the knowledge that a data breach by a third party, should one occur, will place that supplier in the direct path of the Information Commissioner’s Office (ICO) and any failure or negligent handling of personal data will be focused squarely on them, and not you. That is, of course, assuming that you have shown that you are compliant with your own data protection obligations.
Businesses that operate with high quantities of personal data or special category data have been particularly responsive, knowing as they do that they are vulnerable to sanctions should sensitive data fall into the wrong hands. These companies have compiled records of their processing activities. They have also ensured that a data breach policy has been prepared and an individual nominated within their company to deal with breach reporting. This person will take the reins and liaise internally with those who can assist with the investigation and deal with damage limitation when faced with lost or stolen documents, or a cybersecurity breach to their systems. A comfortable position for many board directors at this point is the knowledge that when panic sets in, they have a robust plan and have someone to lead the way.
The ICO have confirmed that so far, of all the data breaches reported since May, 1 in every 5 has been due to a cyber incident and half of all these was the result of phishing. It is therefore more important than ever to make sure that your employees not only get the data protection training required but that this training doesn’t lapse. Regular monitoring of your IT systems combined with a raised data consciousness of your staff will serve to minimise breaches occurring.
500 or so breaches are now reported to the ICO on a weekly basis which shows the magnitude of the problem. Some of these don’t meet the reporting criteria although businesses are showing heightened responsibility in making contact and treating cybersecurity and data protection as a boardroom issue, which is to be commended. For those who have, to this point, tried to ignore the “hype”, I advise that you get with the programme, the compliance programme, that is.
I hope that this blog has been helpful but please don’t hesitate to contact me, Louise Weatherhead at Louise.firstname.lastname@example.org or by telephone on 0191 2263699 or speak to another member of the Data Protection Team if you require any further information.