The General Data Protection Regulation (GDPR) is now a month old, and while it might have felt like its arrival on 25 May was more of a damp squib than a big bang, the Information Commissioner’s Office (ICO) has been busy in that first month:
- The British and Foreign Bible Society was fined £100k for a data breach that resulted from their network being compromised due to insufficient security.
- Yahoo! was fined £250k after their high profile 2014 data breach.
- Gloucestershire Police was fined £80,000 after sending a bulk email that identified victims of non-recent child abuse.
Of course, this enforcement action was all taken under the Data Protection Act 1998, so we’re still waiting for the first GDPR-related enforcement action. That may well be against Dixons Carphone – an incident has been notified to the ICO, and they are currently assessing it to see if it must be handled under the 1998 Act or the new laws. Islington Council may also be investigated for requesting credit card numbers to be sent to them on a Word form via non-secure email to pay for parking bay suspension applications.
The ICO has also maintained their regulatory focus on unlawful marketing activity, with BT fined £77,000 under the Privacy and Electronic Communications Regulations (PECR) after sending nearly five million nuisance emails to customers. The investigation found that the company did not have the consent of those customers to send them direct marketing emails.
The ICO is also keen to stress that this is not the time for organisations who are subject to the GDPR to relax or take their eye off the ball. Elizabeth Denham, the Information Commissioner, has said that “GDPR compliance will be an ongoing journey….you will be expected to continue to identify and address emerging privacy and security risks in the weeks, months and years beyond May 2018.”
So despite the efforts we have all made in the run-up to the 25 May implementation date, it is clear that this isn’t the end of the hard work – in some ways, it’s just the start. There are a number of tasks that organisations should now be looking to undertake, along with responding to requests and issues as they arise.
For example, to ensure that your risk assessments and controls are still relevant and up-to-date, you should consider the following:
- Security assessments (article 32 states that organisations should have ‘a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing’);
- Regular auditing, monitoring and reviewing of data protection compliance;
- Assessing any new vendors and third parties for appropriate data protection measures;
- Periodically reviewing records of processing activities to ensure they remain current;
- Drafting appropriate privacy notices for any new data collection activities, including capturing consent, where necessary;
- Undertaking data protection impact assessments (DPIAs) on any new high-risk processing activities, while keeping under review any existing DPIAs as projects progress.
And, of course, there are the business-as-usual tasks of managing and responding to data subject requests as and when they are received, and responding to any data security incidents that might arise. With the new request deadlines and breach notification requirements, it is essential that processes are designed to expedite the organisational response and keep appropriate records of any decisions taken.
Perfect Image can help you with a number of these tasks, whether that is consultancy to help you to develop procedures and processes; conducting audits and assessments; or hands-on involvement with request management. If you’d like a chat to discuss your needs, feel free to contact us.
Finally, there are some developments to keep an eye on in the future:
- Look out for the new E-Privacy Regulation, expected in 2019, which covers electronic marketing and cookie compliance.
- Keep checking for new and amended guidance notes from the ICO and the European Data Protection Board (EDPB) – in the pipeline are notes on contracts and liabilities between controllers and processors; the ICO’s Regulatory Action Policy; and the GDPR certification mechanism.
- Further ahead, the government will have to consider the impact of Brexit on our domestic data protection regime, and our ability to trade seamlessly with countries in the EU (which will depend on the continued free movement of data between the UK and the EU).