General Data Protection Regulations – has it worked?

Over six months ago the General Data Protection Regulation (GDPR) came into effect, but how do we know if it worked? In this blog post, we’ll explore what impact GDPR has had – if any – and the scope for future enforcement of the legislation.

Let’s recap – what is GDPR?

GDPR is designed to align data privacy law across Europe as well as provide individuals with more personal data protection and rights, which allows them to declare who they want to share their personal information with, and who needs to remove them from their database. It also empowers them to gain better control and understanding of how their details are used.

The data protection regulation applies to any organisation, private and public, that handles personal information. It includes stricter rules around data processing and security as well as harsher fines for those who don’t comply. GDPR replaced the previous 1995 Data Protection Directive, which became out of date with the rise of big data, social media platforms and online marketing.

The UK government enforced a new Data Protection Act (DPA) 2018, which replaced the 1998 Data Protection Act, just before GDPR came into force. The new DPA mostly includes all provisions of GDPR but also contains some small changes applicable only to the UK.
The Information Commissioner’s Office (ICO) is responsible for enforcing GDPR in the UK and has the power to conduct criminal investigations and issue fines if necessary.

What has happened in the first six months?

Five weeks after GDPR took effect, ICO recorded over 6,000 complaints about potential data breaches, which is more than double compared to the previous year.

Organisations that don’t comply the GDPR can be fined up to 4% of annual global turnover or €20 million – whichever is greater. However, it’s important to remember that not all infractions will lead to fines being issued.

The publicity around GDPR may have increased citizen’s awareness of their data rights. The regulation makes it easier for everyone to access the information organisations hold about them, which empowers the public to make well-informed decisions about their data. This probably had an impact on the number of complaints made since the enforcement of GDPR.

No fines have been issued yet, but many companies, including Facebook and British Airways, are being investigated.

How many companies are GDPR compliant?

A study by TrustArc revealed that only 20% of organisations said they were GDPR compliant, 53% are still in the implementation phase and 27% are yet to execute the changes needed to comply with GDPR.

This shows that many organisations are still struggling with the challenges GDPR represents and haven’t yet implemented the appropriate processes into their day-to-day operations.

Whether it might be because GDPR-related roles haven’t been filled yet or the process changes are more time consuming and complex than expected.

In addition, PwC identified that many organisations failed to transform the technology they use to meet the requirements of GDPR. Most businesses focused on the ‘paper-based’ data protection requirements of GDPR, such as clear data processing policies, notices, contracts and opt-in/opt-out updates.

However, writing down procedures won’t stop data breaches and cyber attacks. Companies have to rely on technology to comply with GDPR, but the software they use also has to meet GDPR requirements in order to keep data secure.

For example, keeping data accurate and up-to-date is challenging without technology. But only authorised users should have access to that data, so organisations need software that will support their processes.

For many, this means reviewing current systems and possibly implementing new software, as well as updating processes.

How to become GDPR compliant?

Here are six steps to becoming and maintaining GDPR compliance:

1.Understand the GDPR legislation

It’s important for everyone in your business to understand GDPR and the consequences of not meeting the required standards. A compliance audit can help you with this, especially if as part of this audit a data protection officer is appointed. This should be a qualified professional that can explain the nuances of GDPR and help apply them to your business.

2.Create a data process register

Once your organisation has a clear understanding of what needs to be done to be compliant with GDPR you need to keep a record of all the changes that your company made to meet the necessary requirements.
Effectively, this is a GDPR diary, which can be used to prove that your business has taken steps to become compliant.

3. Categorise your data

This step is all about understanding what data your organisation collects, processes and shares as well as how best to protect it. First, you need to identify all Personal Identifiable Information (PII), of EU nationals, which is the information that can directly or indirectly identify someone.

Categorising this information can help you identify data that you can collect, but not necessarily need, as well as data that you shouldn’t be collecting anymore based on the GDPR framework.

You will need to find out where the PII is kept, how it’s processed, who has access to it and who it has been shared with. In addition, you’ll need to know who is responsible for data control and processing as well as ensure that all necessary agreements for data control and processing are in place.

4. Data evaluation

Once you’ve identified and categorised your data, it’s crucial to evaluate it. Look at how it’s been collected and protected. When assessing the most private information, you should ask – does your business really need this information and why do you need it? This kind of information is the most sensitive kind as it is the most valuable to hackers.

You should complete the Privacy Impact Assessment (PIA) and Data Protection Impact Assessment (DPIA) of all security policies, analysing the data life-cycle from origination to destruction. This is to ensure your security processes follow GDPR data portability, processing and the ‘right to be forgotten’ regulations.

In addition to the process evaluation, you should also review your technology, to ensure that your data is truly protected from hackers. This will include regular audits of security encryptions, back-up procedures and storage.

5. Business risk assessment

The next stage requires you to assess and document other data risks in your business in order to identify any vulnerable areas. You should keep a record of all these weaknesses and provide appropriate solutions, to show how your company is going to address the remaining risks.

6. Revise and repeat

Step six is all about reviewing the outcome of previous steps, fixing any potential problems and updating where necessary. Once this is completed, you should set new priorities for your organisation and repeat the process from step four.

Security should be at the forefront of everything your business does in order to ensure GDPR compliance going forward. This will involve initial resource investment and regular maintenance, but your organisation will be able to build better relationships with your stakeholders based on transparency and trust.

What are the main GDPR challenges you’ve been dealing with? Let us know on our Twitter and LinkedIn accounts.