On 30 May, Elizabeth Denham, the Information Commissioner, published a blog reflecting on the first anniversary of the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA), both of which came into effect on 25 May 2018, pushing organisations to make significant changes to the way they handle personal data. Organisations are now required to document and demonstrate compliance with rules and principles of the new regime, and are accountable for that. One of the biggest challenge has been resources, in terms of financials and personnel, as well as pushing a change in culture to go beyond a literal application of the rules.
Ms Denham states that the focus for the second year of the GDPR will be in fact beyond baseline compliance: organisations need to shift their focus to accountability and real understanding of the risks to individuals in the way they process data, and how those risks should be mitigated. For the year ahead regulatory priority will include:
- Cyber security
- Artificial Intelligence, big data, and machine learning
- Web and cross-device tracking for marketing purposes
- Children’s privacy
- Use of surveillance and facial recognition technology
- Use of personal information in political campaigns
- Freedom of information compliance
On 22 May, the European Commission issued a press release , stating that GDPR rules have not only made Europe fit for the digital age, they have also become a global reference point. The main aim of the rules has been to empower people and help them to gain more control over their personal data. This press release lists the positive aspects of the new rules, such as the possibility to tackle breaches, the fact that people are exercising their rights, and the inspiration for new privacy laws that have emerged beyond Europe, such as Chile, Japan, Argentina, Brazil, Kenya, etc. The Commission is expected to report on the application of the new rules in 2020.
What have we learnt?
Regulatory and reputational risks are always those with the largest echo and deterrent on organisations: fines can be significant, also for firms that can afford them, and penalties can include the suspension of processing. Individuals are more aware than in the past about their rights, and the information asymmetry between individuals and organisations has somehow been filled: this is another reason for organisations to act properly in relation to processing data and to be open about that. It is reported that national authorities received more complaints compared to 2017, and logged data more breaches: this confirms the perceived higher awareness about data protection rights among individuals. 57% of EU citizens polled indicated that they are aware of the existence of a public authority in their country responsible for protecting their data protection rights.
It is also critical for organisations that operate across Europe to keep an eye on other countries’ enforcement decisions for breaches of GDPR: the European Data Protection Board provides guidance to individuals, data controllers and processors, and national authorities, listing fines and other data protection related topics.
For firms in the financial sector, compliance with GDPR requirements is considered a senior management responsibility. With the Senior Managers and Certification Regime to come into effect on 9 December 2019, it is a priority to ensure that this responsibility is appropriately and effectively handled.
Should you wish to discuss any of the points covered in this blog, and get a better understanding on how to comply with applicable requirements, please do not hesitate to contact us.