At the end of May 2019, the Information Commissioner’s Office (ICO) released an update reflecting on the changes that it had seen since the introduction of the General Data Protection Regulation (GDPR) in May 2018. You can read the full report here.
Whilst the headlines are full of how big businesses have been held to account for breaches of the GDPR and how further regulation is needed to stop data being used to influence election results, there are some interesting takeaway points which businesses should note.
The ICO has found that, in general, the public’s awareness of, or the importance of, personal data has increased since the implementation of GDPR. Rather alarmingly it found that only 1 in 3 people have any trust in organisations who store personal data.
The report further states that 64% of people asked stated that they had noticed an increase in customers exercising their rights under GDPR.
Complaints of personal data breaches have increased in the last 12 months – a total of around 14,000 were reported, which is significantly higher than the 3,000 report in the previous year. The number of data protection concerns raised with the ICO totalled 41,000, over double the figure from the previous year.
All this points to a more informed public, who are distrustful of organisations who hold data and who are more likely to raise concerns if data is not being held or processed properly.
Thankfully the ICO appears to be trying to assist companies rather than punish them, indicating that of the 14,000 personal data breaches reported, less than 17.5% required further action and less than 0.5% led to an improvement plan or penalty.
The ICO have many tools on their website designed to assist SMEs with their GDPR obligations, and in light of the change in culture brought about by GDPR, it is important that businesses ensure that they are compliant.
As a word of warning, below is an example of a breach where the ICO took formal action:
As a result of administrative errors, an organisation disclosed personal data to incorrect recipients. Our investigation determined that whilst this was not a systemic failing, it nevertheless demonstrated that established policies and procedures were not always being followed. The organisation was therefore issued with a reprimand to take certain steps to improve compliance with GDPR, including ensuring that all staff attended mandatory training, that policies and procedures be enforced and reiterated to staff on a regular basis, and that contact details be checked on all correspondence.
In a world of emails and predictive text, one could imagine that the risk of such disclosure is high.
A year on since the implementation of GDPR, it is advisable to review your compliance – follow our easy tips here:
Reviewing your GDPR compliance:
Stress test your processes on a regular basis. Review whether policies are clear and easily followed, if not they should be revised and clarified. If the way you operate has changed, this could impact GDPR compliance, and policies need to be regularly updated to reflect recent changes such as the guidance on transparency and consent from the European Data Protection Board.
Regular enactments of mock data breaches can help keep GDPR at the forefront for staff, as well as identifying where changes may be needed. Whenever policies need to be updated, make sure refresher training is conducted with relevant staff, and with detailed development training for any staff who are frontline on data management. Regular training is one of the things that the regulator will be looking for, if anything does go wrong.
Staff should be encouraged to seek out, recognise and report data incidents, so make sure you have the right culture that encourages open reporting. The regulator wants to see prompt identification and reporting, as the longer it takes to identify a possible data breach, the more likely that a situation will mushroom out of control.
If you transfer personal data through third parties, such as suppliers, or transfer it outside the EU for any reason, it’s important that all related contracts and processes comply with GDPR requirements.
Make sure you understand the circumstances in which you are required to conduct Data Protection Impact Assessments. These are key to the GDPR philosophy of designing systems with privacy at their heart and should be undertaken whenever data processing could result in a high risk to individual rights and freedoms. Guidance on the ICO website sets this out in detail.
The contents of this article are for the purposes of general awareness only. They do not purport to constitute legal or professional advice. The law may have changed since this article was published. Readers should not act on the basis of the information included and should take appropriate professional advice upon their own particular circumstances.