GDPR - Where Are We Now?
In May 2018, the General Data Protection Regulation (GDPR), the most significant data protection update in over 20 years, came into effect.
Companies across the EU have been scrambling to come to terms with the requirements of GDPR since its legislation completed in April 2016. Data privacy, in general, has been a burning topic, fuelled by developments such as the controversial Cambridge Analytica going out of business in early 2018.
There have been endless questions about data privacy and control in general, but in particular how GDPR may work or be enforced, and what this means for both businesses and consumers.
So, in the 20 months since GDPR became enforceable, what have we learned about GDPR, and where are we now?
In truth, we have learned a huge amount. We cannot cover all these lessons within this article but we’ll look at some of the key components of what GDPR has meant for both businesses and consumers.
From a business perspective, there have been different approaches to GDPR compliance taken by companies, with some aiming to be fully compliant by the 25th May 2018. Others took the view that it was enough to take only the minimum steps to comply. Full compliance means not just understanding the data held but evidencing the need for this data through a data protection impact assessment (DPIA), data mapping, and deciding upon various policies covering aspects such as data retention, along with the production and issue of Privacy Notices.
GDPR has helped create far more transparency around data breaches whereby organisations must inform the appropriate data protection body and affected individuals immediately when they notice any compromise of EU consumer data. Businesses are also required to inform users of how their data will be used and provide opt-outs from contact lists or data sharing more prominently.
For consumers, under GDPR they are more involved in decision making with regards to who uses their personal data and how it should be used; this includes citizens outside of the EU as well. Additionally, consumers now have easier access to their data under GDPR legislation, and as a result, they have a better understanding of how their data is processed, what data is held, and how they can access this data at any time.
GDPR has had various impacts on businesses:
· In many cases, GDPR has required organisations to appoint DPO’s (Data Protection Officers). This requirement depends on the nature of the organisation and the amount of data being processed. In 2016, a study indicated that GDPR would create demand for at least 75,000 DPO’s, and whilst exact numbers are hard to come by, a report by Protiviti indicates that there are over 500,000 DPO’s registered across the EU in 2019.
· In several cases, firms felt GDPR compliance was simply too onerous to comply with and would seriously limit their ability to run a profitable business in the EU. As a result, some businesses have entirely exited the EU market. Additionally, there have been reports of larger businesses changing how they do business, with a prime example being a report by The Irish Times that Facebook rerouted traffic to ensure 1.5 billion users wouldn’t be protected by GDPR.
· Companies have had to pay fines relating to GDPR legislation failures. According to Infosecinstitute.com GDPR has already led to over €360M of fines, with three firms having faced multi-million Euro fines. The top 5 fines to date are: British Airways (£183.4M), Marriott (£99.2M), Google (€50M), Haga Hospital (€460K) and tied at €400K are Sergic and Centro Hospitalar Barriero Montijo, with many others having faced six-figure fines as well.
· GDPR has restricted some companies with regards to mailing lists and data sharing and therefore impacted their ability to reach clients in order to grow their business. Some companies are reporting a 20-40% fall in their ability to contact clients. Conversely other companies have grown, most notably those providing GDPR guidance and support to others.
· GDPR is ongoing, with many companies continuing to progress towards full compliance. Legacy systems, cost, poor processes and data integration cause complications and challenges, and the journey may indeed be a long one yet for some companies.
A great deal has been accomplished by many companies becoming GDPR compliant during these last 20 months, but looking further ahead, there will be an increased focus on compliance accompanied with increasing penalties. There has been an increasing willingness from the ICO (Information Commissioners Office) to issue penalties to firms who have fallen short of their data protection obligations, and the period of grace the ICO may have offered to become GDPR compliant up until now appears to be over.
It is critical therefore, for businesses to now be complaint, and if not, then action should be taken as soon as possible. Whereas previously it was enough to show you were working towards compliance, almost two years after the legislation went live, the ICO has stated that the focus should be on more than just “baseline compliance” now.
In recognition of these ongoing challenges and in support of your business, Marbral Advisory is really excited to share with you the GDPR Playbook from our suite of transformational change products.
Introducing the GDPR Playbook Do It Yourself Guide®
The GDPR Playbook Do It Yourself Guide™ is a set of e-modules which, when carried out in sequence, walk you through the things that you need to consider, and produce, in order to comply with the GDPR. It’s intuitive and interactive to keep you engaged and includes 120 Lessons and 24 templates, webinars and videos.
The GDPR Playbook content is fully comprehensive and is supported by content, tools and methodologies advocated by the leading global Supervisory Authorities, including the UK ICO and the Belgian Data Protection Authority.
What's so unique about this e-learning product is that it takes you right from discovery to full implementation. Guiding you, carefully, through each module. As you go, you download and complete templates, documents and registers, which form a record of your work towards demonstrating GDPR compliance. We think this is pretty cool!
At the end of each module, you are invited to book a dedicated one-to-one with a GDPR practitioner to discuss your progress. You can use this time to ask any burning questions about the GDPR you may have. Or maybe you'd like additional guidance on some of the documents you have completed?
Depending on the Playbook version purchased, you can also book up to twelve hours additional support time with a GDPR practitioner. This is included in the price, there are no surprise extras awaiting you. They can support you with pretty much anything you need, be that one-to-one guidance or even the production of templates and support documentation for your organisation.
So, in conclusion. The what, why and how of GDPR compliance isn't so much of a mystery and more importantly, is still in your grasp.
Check out our GDPR Playbook via the link below:
