Insights overview

GDPR – A year in review, where are you now?

The 25 May 2019 marked the one-year point since the coming into force of the General Data Protection Regulation (GDPR) and the UK Data Protection… Read more

more content below

The 25 May 2019 marked the one-year point since the coming into force of the General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018. Introduced to implement a set of standardised data protection laws across Europe and to increase individual rights to privacy, the early months of 2018 saw many businesses scrambling to put in place GDPR compliant procedures prior to the implementation date.

Where are you now?

The GDPR anniversary provides a good opportunity for organisations to take note of where they are now, and what changes they might need to make to their compliance programmes in the year ahead.

In the rush to prepare for the implementation of the GDPR many organisations focused mainly on their external facing processing activities, leaving their internal activities for a later date. Others have yet to pass the first hurdle as they continue to complete their initial data mapping exercises and have yet to complete their GDPR contract review.

A year from the implementation date, any notional grace period will now certainly be over. Organisations will be expected to have implemented a basic level of GDPR compliance and should now be reflecting on those policies and procedures to assess continued compliance.

What does continued compliance look like?

Registration with the ICO – all organisations that process personal data as a controller must pay a fee of between £40 and £2,900 to the ICO unless they are exempt from doing so. The ICO has now stepped up its enforcement in this area, with 1,936 notices of intent for non-payment and 103 fines for failure to respond issued as of 25 January 2019.
Policies, procedures and data processing records – all organisations should ensure they put in place and update their:

Internal and external facing privacy notices;
Data processing records, inventories and data flow documentation;
Procedures for reporting, responding to and recording data breaches and subject access and individual rights requests.

Your policies, procedures and data processing records should be kept up to date to ensure they keep pace with changes in your business. As your business continues to grow you should ensure that this documentation is updated to capture the collection of new categories of data, the processing of that data for additional purposes, and the wider sharing of personal data.

Entering into GDPR compliant terms – standard terms and conditions should include the mandatory article 28 terms to be entered into between controllers and processors. To the extent that your existing contract review is ongoing, you should ensure that this project is not put out to pasture, as your technical and organisational measures may be called into question in the event of a future data breach, or disputes with third parties.

Protecting international data flows – earlier this year the prospect of a no-deal Brexit saw many organisations scrambling once more to implement standard contractual clauses to protect EU to UK data flows. Whilst there appears to be some reprieve on this front for the time being, organisations should ensure that they are aware of the implications of a withdrawal from the European Union on any international transfers to ensure continued compliance.

Review of existing procedures – now that the initial GDPR rush has died down, you should not be afraid to review your existing processes, as you assess where you might have gaps in your processes or areas which are open to improvement.

Employee training – to maintain high levels of employee engagement you should assess where your employees might benefit from ongoing training. This is a key theme that has emerged as the ICO has investigated complaints of data protection compliance breaches. Further the ICO’s data breach reporting form includes a section querying whether staff involved in an incident have undergone GDPR training in the last two years. Such training sessions should be tailored to specific needs and issues of your business rather than a re-run of earlier sessions. Incorporating an element of employee testing, GDPR spot checks, and appointing data custodians overseeing your processes can also encourage wider buy in from your business.