GDPR one year on - how was it for you?

This is our latest article in the series headlined in our introductory article ‘What’s hot in GDPR right now?'

It is almost one year since the EU GDPR and the Data Protection Act 2018 came into force, and businesses and organisations all over the country faced their data protection demons.

But of course, data protection itself was not something new. There has been law around the topic for some 129 years; it is just that since 25 May 2018 the rules have been given a new lease of life and the well- publicised (financial) risks of getting it wrong pushed data protection into the spotlight.

Notwithstanding the two years of notice given before GDPR came into force, Google showed a massive spike in GDPR as a search term occurring only one week before 25 May 2018 (apparently even more popular than Beyoncé or Kim Kardashian according to the EU!). So what has happened since? Are organisations any more confident in how to achieve compliance? And, what does compliance mean?

Compliance with GDPR is, in the words of the Information Commissioner herself, “a journey". At the Executive Leaders Network Data Protection Conference earlier this month which we attended, among the themes under discussion were privacy by design, how we measure compliance and biometrics. There remains plenty of conversation around consent and of course, the B-word (Brexit!). These themes are commented on below.

Privacy by Design

With most of us now reasonably well versed in the principles of GDPR and the messages of accountability and transparency, we are being urged by the ICO to further integrate data protection compliance into our culture and activities. Over the past year many of us have been focussing on the past; ensuring that the personal data we hold and process is done so compliantly, that our customer and employee facing notices are up to date and that our processor contracts are compliant.

While this will inevitably be an on-going task with lessons continually being learnt, we are now being urged to look forward. When we begin a new project, we must consider whether a data protection impact assessment (DPIA) is necessary (and where it is not necessary, whether it might be a helpful record of our plans and risk assessments). We must always factor in the safeguarding of personal data and compliant processing, embedding it in the design of our processes. This makes good business sense as it helps us to manage commercial risk and cuts down management time in the long term.

Measuring Compliance

How do we know that what we are doing in respect of GDPR is ‘working’? Using KPIs to measure compliance is perhaps difficult to envisage at first. How a policy is received and put in practice may appear un-measurable. But there are measurements that can certainly be kept; consider tracking the number of data subject access requests (DSARs) that you receive and at what points throughout the year. You can monitor trends in activity against the customer journey or a financial year and your response time in each case. You can look at streamlining response processes and an effective data cleanse policy as a way of reducing the amount of data and therefore the time involved in SAR responses.  

The same can be recorded in relation to data breaches; when they typically occur, the number of near misses against reportable breaches. How quickly are breaches escalated to the relevant contact points and who is discovering the breaches and/or complaints and in what quantity?

Perhaps it transpires that response times are less prompt during August or December when staff are typically away on annual leave. But remember, GDPR doesn’t take annual leave! Identifying trends can help you resource accordingly and demonstrate your steps to safeguard data subject rights at all times. You need to keep a log of data breaches anyway but this is a way of using the log as a management tool. The ICO has released a blog on this very topic which can be found at https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2019/05/blog-data-protection-doesn-t-take-a-day-off/

Biometrics

Another hot topic for the ICO is the use of biometric data... New technology is exciting and its use can be a great USP for many organisations. However, it must not be forgotten that GDPR requires that this data is safeguarded just as would be done to in respect of our bank details or medical records. This a fast-paced world and the ICO’s latest comment can be found at https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2019/05/blog-using-biometric-data-in-a-fair-transparent-and-accountable-manner/

Consent

It seems that many of you are still trying to grapple with when and how to obtain consent from your contacts. Remember, if there is an alternative legal basis for processing available to you then you will find it much easier to rely on that other basis. Certain electronic marketing activities have always required consent however, and so if in doubt you should take advice to make sure that you understand your rights and the rights of your data subjects.

Our article ‘GDPR - is it all about consent’ (https://www.dhirubhai.net/pulse/gdpr-all-consent-karen-harrison/) includes some great hints and tips, and our article ‘marketing within the law’ will be out soon.

Brexit

Brexit is still the elephant in the room in many respects; until we know the form of any deal, if indeed there is to be one, it is not possible to say with any certainty how leaving the EU will impact our activities around data protection. What we do know is that, GDPR will remain part of our lives after Brexit and particularly where organisations trade with Europe the standards set by the legislation will continue to be an indication of best practice against which consumers and clients will judge us.

Data protection and an expectation of fair and secure processing looks here to stay, so we should use it to help our businesses grow.

We should all be doing our first annual review of GDPR compliance and Knights plc have developed a toolkit to help you with that review. If you would like to discuss further or enquire about our audit and policy review services, please call one of the Knights plc Data Protection Team whose details can be found here: