One Year On: Is the GDPR Headache Over?

Cast your memories back to before the 25th May 2018 and it’s quite likely a blur of GDPR chaos brings on a compliance induced migraine. For many businesses, the much anticipated date arrived, a sigh of relief followed and data protection seemingly became less of a priority. A year on from the implementation of the General Data Protection Regulation and we see that the efforts of compliance are not over – at least they shouldn’t be…. In this blog post, we’ll take a look at how businesses, individuals and the ICO have dealt with the new regulations and how the ongoing matters of data protection are revealing some significant societal concerns.

How have businesses and individuals responded to the GDPR?

Elizabeth Denham, Information Commissioner at the ICO (Information Commission Office), points out that the GDPR has brought about “increased protection for the public and increased obligation for organisations”. As one might expect, in this first year of GDPR, businesses have put more stress on becoming compliant, with the ICO reporting a 66% increase on the number of interactions via their helpline, web chat and written response services compared to the previous year.

Whilst organisations are focussing on implementing compliance, individuals are becoming more aware of the control they have over their data. According to their report, “GDPR: One Year On”, the ICO received over 41,000 data protection concerns from the public between May 2018 and 2019 – almost double the amount received for the previous year. Of these complaints, 38% were subject access requests where an individual requests access to their personal information. Individuals are taking their information rights more seriously, it would seem.

At the forefront of businesses’s efforts to be compliant are the DPOs (Data Protection Officers), who at least two-thirds of the time felt they were supported by senior staff within their organisation. The ICO report found that the responsibility held by a DPO was particularly prominent in larger organisations. In such cooperation a DPO often carries the skills of a ‘data professional’. The ongoing challenges facing data professionals of this sort, not only in ensuring compliance but in laying out a suitable “accountability framework”, has lead to some innovative and beneficial work on data protection. For example, some of the nominations for the Practitioner Award for Excellence in Data Protection showcased work which; demonstrated the future benefits of GDPR compliance to a business, produced guidelines and training modules tailored to the needs of each business or ran specific companies which aid SME’s or charities with GDPR compliance.

Whilst a lot has been done by larger businesses to go beyond just compliance, SME’s and smaller companies, where resources are more scarce and the DPO role might not be held by someone who has an uncertain understanding of their data flow, simply transitioning smoothly to compliance is difficult. In light of this, the ICO presented a “Guide to GDPR” which can supplement any direct communication through the helpline, live chat or web services.

How have the ICO responded to GDPR?

The ICO has been equally proactive in its response to the GDPR by offering support to businesses and individuals. Since May 2018 it has launched “Your Data Matters” campaign which raises awareness of the rights individuals have relating to their data protection and how they can exercise those rights. As a result, the ICO reported 2.5 million individuals accessing their website – a 32% increase.

In response to reported data breaches the ICO’s regulatory objectives don’t just focus on the big, headline grabbing, fines. Instead, the primary constructive purposes of the ICO is to i) respond swiftly and effectively to breaches ii) target organisations and individuals suspected of repeated or wilful misconduct iii) support compliance with the law and promote good practice; iv) be proactive in identifying and mitigating emerging risks from societal change v) cooperate with other regulators and interested parties in navigating the global and interconnected technological landscape.

Increasing transparency has also been an aim of the ICO in order to help raise awareness in the public sphere. In order to reveal to the public how their personal information is being used investigations have been opened to shed light on otherwise opaque processing of data.

In extreme cases of personal data violations, such as the Cambridge Analytica controversy involving the “behind the scenes use of personal data to target political messages to individuals, the ICO is instrumental in pulling back the veil that renders such data handling invisible. Such misuse of personal information to potentially influence the electorate in such a behind the scenes challenges any democratic election process. As Elizabeth Denham commented in the investigation on Cambridge Analytica, “citizens have woken up to the fact that transparency is the cornerstone of democracy”. In the wake of the GDPR, the ICO, therefore, plays an even greater role not just in supporting businesses and ensuring compliance, but in upholding our democracy.

Year 2: The Legal legacy and the Battle for Human rights

GDPR has brought more than just box ticking compliance. Whilst many organisations proactively address the matter of compliance and the accountability framework, they are not the only ones who are presented with new challenges. According to their One Year On report, “The challenges are as real for the ICO, as regulator, as they are for those we regulate.”

The nature of the constantly moving technological landscape means organisations are bringing about new concerns of data protection. As a result, the ICO has needed to expand their capability to deal with more complex areas. One interesting example includes the recent case between South Wales Police and Ed Bridges, who felt his privacy was violated and data laws breached when he believed that his image as an innocent bystander in a crowd was captured by facial recognition technology. This contentious issue, and others brought about by new technologies, require some clear codes of practice to be outlined by regulators like the ICO. One step in this direction for the year ahead is to introduce such codes which will help to apply GDPR effectively in this changing landscape.

Not only do challenges arise in both the implementation of GDPR and the enforcement of the regulations, but a societal dilemma presents itself in the battle between data driven technological development, with its great potential benefits, and the seemingly innate human right to privacy. Moreover, it is likely that in the heat of the ever changing political climate, democratic transparency will continue to be challenged. The painkiller that the months following May 2018 provided was only temporary, and as the second year of the GDPR is underway it seems likely that the headaches will continue. Moving into Year 2, we will no doubt see the need for regulators, organisations and individuals alike to keep up their data protection efforts.