According to the European Union (EU), the GDPR is the most important change in data privacy regulation in 20 years – claiming to fundamentally reshape the way in which data is handled across every sector, from healthcare to banking and beyond.
Now that almost one year has passed since the GDPR came into effect, we’ve put together a couple of lessons learned in this blog article.
We hope that this will help you understand how far we’ve come and what still needs to be completed one-year post-GDPR D-Day, why data privacy must be considered as a business priority and how you can reevaluate your GDPR preparedness.
Related Post: GDPR: Frequently Asked Questions
Disclaimer: This article was written for general information and does not claim to provide legal advice. To understand the full context of GDPR for your organization, please consult with a privacy compliance and/or legal professional.
As a quick reminder, this legislation was an EU-issued mandate to cover the privacy of personal data of EU residents. It went far beyond the boundaries of the European Union which is why it has had a global impact on business.
GDPR was enacted on May 25, 2018, and by February 2019 there had been over 59,000 breach notifications to meet the GDPR requirement. This number is interesting when you compare it to figures from Deloitte showing that only 35 percent of organizations have a GDPR compliant data breach notification process.
The European Data Protection Board released their first review of GDPR in February 2019. They found 206,326 GDPR cases reported by supervisory authorities. Most of those were around customer complaints to do with data processing, with fines imposed so far of 55,955,871 euros.
Truth be told, the GDPR was never going to be an easy regulation to comply with.
The GDPR has several nuanced areas that cause even compliance experts to scratch their head. The data subject right “the right to erasure” is a case in point. If you keep backups, do you need to erase them if a request to ‘be forgotten’ is received? Our list of FAQs on GDPR can help you answer this and other questions.
In the run-up to the enactment of the law, many ‘experts’ came and went giving businesses good and bad advice on how to meet the regulation. The GDPR remit had a wide scope across eight data subject rights and incorporated legal frameworks like the consent to process data.
Almost a year later, a survey by insurers Hiscox looking at SMBs in the UK found that 39% of firms were still not sure if GDPR affected them. The same report also pointed out that almost 96% of SMBs were not aware of the GDPR fines; with a maximum fine of 4% of annual revenue or 20 million euros (whichever is higher), which could represent a major blow for a smaller organization.
Charities too are feeling the pinch of GDPR. A report shows the decimation of charity databases because of GDPR rules around consent, with 53 percent seeing a decrease in their email databases.
Even one year later, there are still numerous myths and misconceptions about GDPR compliance. If you’re not fully sure of the scope of GDPR for your organization, have a look at our article “GDPR Compliance: What You’re Doing Wrong – Common Myths and Misconceptions about GDPR”.
It can seem like GDPR has been sent to try us, but the ethos behind the regulation is a good one.
Being data privacy respectful is part of a wider goal of building trusted relationships with customers. Survey after survey finds that customers want companies to be transparent, honest and respectful in their dealings with them.
In one study, 46 percent of consumers would ‘give a pass’ to a company who had suffered a data breach if they were informed immediately; the GDPR has a specific rule around the timely notification of data breaches.
Regulations that cover data protection and privacy aspects of personal data are there for a reason.
Privacy of personal data is about being transparent with its use and allowing the individual to have a say in that use. Regulations such as the GDPR attempt to provide a structure for developing services and systems that provide mechanisms to incorporate user consent and choice in data use. Ultimately, this structure will build better relationships between a company and the people who have involvement with the firm.
One thing to also consider is that the GDPR is just the start. Similar legislation is already here, this includes in the UK the Data Protection Act 2018 (DPA 2018) and in California the California Consumer Privacy Act (CCPA).
It also seems that people like data privacy protection. Analyst firm Ovum has found that two-thirds of US firms believe that consumer pressure will bring GDPR like regulations into the US.
Related Post: GDPR Compliance and Data Privacy
A year on, it is time to recheck our GDPR preparedness. Here is a quick list of items to help guide your path towards GDPR compliance:
First of all, think about whether the GDPR actually affects your firm? You may need to do some research into this. Start by reading our post “GDPR Compliance and Data Privacy” to get an idea of what it entails and who it affects.
If you want to go further, think about hiring an external firm to conduct a GDPR Posture Assessment to be 100% on the safe side.
GDPR sets out two classes of data types. You will need to make a list of the types of data you collect and process and map it to the GDPR data classes. This will help you understand the requirements you need to meet.
This has been the bugbear of GDPR compliance and has caused most of the complaints.
Facebook and Google were issued with court proceedings around GDPR compliance because of using ‘forced consent’. In other words, if users do not consent to allow data use, they do not receive the service. Consent can be nuanced under GDPR, but its enactment must be as granular as possible.
Make sure that you have a process in place to deal with data breaches. The GDPR has strict guidelines about how to notify a data breach and the time to do so. Add this to your security policy and make sure the affected personnel are aware of the procedure.
The GDPR has been built around the ethos of Privacy by Design and by Default. This is a series of principles which give you guidelines when designing and developing any digital service or system.
Security awareness training is a fundamental part of modern business.
We live in an age where cybersecurity and data privacy threats have a core element of behavior manipulation. Getting our staff up to speed on cybersecurity threats is vital to data protection. Adding an extra training program around GDPR awareness is also important if your company must abide by the regulation.
A Data Protection Impact Assessment (DPIA) will analyze the lifecycle of your data across your systems and look at ways to minimize risks. If you haven’t already had one or if there have been any changes to the data you collect or how it is processed, look at getting a DPIA performed.
You may ultimately wish to look to expert advice from privacy or legal professionals around the implementation of the GDPR within your own industry and business. A GDPR Posture Assessment may be a first step in the right direction.
We may be a year into the GDPR, but its effects are still being felt. It has no doubt increased workloads and costs for any affected organization. However, it will hopefully pay off in improved customer relations and even prevent cybersecurity incidents.
Not sure who to implement a comprehensive privacy compliance program? Watch the recording of our webinar “Beyond GDPR: Implementing a Comprehensive Privacy Compliance Program”.