On the 25thMay 2018 the General Data Protection Regulation (GDPR) came into force. Whilst the new law was based on the same basic principles as the old one, it was a major overhaul and introduced some significant new requirements. This came as a shock to most organisations.
The change to the law provided an opportunity for many organisations to re-assess their approach to data privacy, some took this opportunity, but most, in my opinion are paying it lip service whilst others are sitting on the fence until there is some enforcement. The realisation that ‘doing personal information properly’ has not as yet hit home, nor have organisations realised that it improves corporate reputation and trust and it is ultimately good for business.
Under the GDPR, most organisations are required to document the personal information they process, what systems they are stored on, how long the information will be retained for and so forth. Very few organisations had achieved this from what I have seen.
Nearly all the organisations I have worked with had problems with staff keeping personal information on unstructured, unofficial systems, with paper records being common problem area – particularly those in storage.
Every organisation we have worked with uses third parties – whether ‘controllers’ or ‘processors’ – to provide services to it. We found that few organisations could say with certainty that they knew who all their third-party suppliers were or locate all the contracts they have in place with them.
For any organisations that did send out Controller Processor Agreements to suppliers, the responses varied, with some suppliers – typically the more market-dominant ones – refusing to sign the addenda or just ignoring the request. This presented a difficult policy call for organisations; either change suppliers or go ahead and continue to use existing third parties but with non-compliant contracts in place. Most organisations appear to have chosen the latter course of action, believing their existing governance arrangements to be adequate and that they could show the regulator that they had at least tried to make their contracts GDPR-compatible. This is a dangerous strategy in my opinion, as recent high-profile cases seem to confirm.
Privacy Notices are organisations’ shop windows, they are visible, they make a statement about how a company treats customers’ privacy and they are open to scrutiny from members of the public or employees. The ones I have seen are of varying degrees of quality, not surprising given the need for both legal precision and readability for the general reader.
Organisations have often sought assurance that they are fully compliant with the GDPR. This is understandable, but assurances cannot be provided. Our approach with clients is to focus on the main risk areas for their business and to make sure they have the main compliance building-blocks in place, so that they can deliver individuals’ rights or respond appropriately to a data breach, for example. For some of the common mistakes, read my recent article here.