GDPR - One Year On
Time flies doesn’t it? Almost exactly one year ago, 25 May 2018, the long-awaited update to the EU’s data protection laws came into force. In this time GDPR has attracted plenty of criticism, with some accusing the EU of “overkill” or “strangling business”. Specifically, there is a loud contingent of people who view GDPR as a concoction of difficult, unworkable and protectionist requirements. How true is this? This article intends to explore this question.
We’re now in a good place to be able to assess the impact of GDPR, mainly due to the fact that we have now had time to embed the requirements, see the impact for ourselves and, crucially, the regulatory regime has had time to release a number of guidance documents and clarifications notably around:
Guidance on Privacy by design and the use of DPIAs. This is still an underused area of GDPR and one that perfectly complements your change control procedure. If you do not consider Privacy by Design and undertake DPIAs, ensure you look into this area as it is essential for GDPR compliance
Transferring data outside of the EU. I’ve often been told, “we cannot transfer data outside of the EEA due to GDPR”, this is not true as is outlined in this ICO guidance.
Typically, industry initially over-interpreted many aspects of GDPR. Most notably many initially thought that marketing data required consent and this was the only basis upon which we could process such data, whereas it has become clear that legitimate interests can also be used to process such data as long as we explain the interests in the privacy notice and provide the right to be forgotten. Talking about the right to be forgotten, the feeling I have from my clients is that this provision has not had the impact we initially thought. There was a spike of requests during the summer of 2018, probably fuelled by the media attention GDPR was receiving. However, many of the requests were invalid because the basis upon which the firm was processing the data did not allow for the data to be deleted. This is an area in which I’ve seen some firms over-interpret GDPR, allowing the right to be forgotten where the right does not apply. Of course, if you don’t need the information then it should be deleted and it is best practice to do so, but, be careful not to delete data that you may need to retain to defend complaints, litigation or where there is another requirement to do so.
As a consultant, I have seen firms imagining that GDPR conflicts on laws such as the Proceeds of Crime Act 2002 (POCA), which, prohibits “tipping off” where a firm or individual suspects financial crime has occurred. The persons theory being that GDPR expects you to be transparent with the data subject, setting out how you will use their data, but this would create a breach of POCA and thus the two laws are incompatible. The point to note is that GDPR clearly states that its provisions don’t apply in circumstances such as those detailed above, in instances where data is required for legal obligations or the prevention and/or detection of crime.
We’ve not seen the wave of data subject access requests that we thought we would, similarly with requests to be forgotten there was an initial wave of requests which have subsequently died down.
All in all, GDPR has focussed the minds (and resources) of firms on tightening data protection protocols, not least data security. It has raised awareness of other aspects of data protection, such as the rights that data subjects have, but there is still some misinterpretation in these areas. We’ll continue to see the ICO slowly release further documentation which I hope will give firms the confidence not to over-think the rules. Over the last few months we have seen the following guidance released:
The European Data Protection Board have released guidance on certification and identifying certification criteria for the voluntary GDPR certification regime (not to be confused with GDPR!). The idea is to create a voluntary code that firms can sign-up to in order to improve standards and accountability. To give some background, Article 42 states: “The Member States, the supervisory authorities, the [European Data Protection] Board and the European Commission shall encourage, in particular at the Union level, the establishment of data protection certification mechanisms and of data protection seals and marks, for the purpose of demonstrating compliance with this Regulation of processing operations by controllers and processors”. Further information can be found here.
The ICO have updated their guidance on the right to be informed. There is an important piece around exemptions from supplying the Privacy Notice information, for instance, where the customer already has the information; this could significantly change the way many suppliers provide information and could represent significant cost savings. Secondly, the new guidance is an ideal resource to create your audit checklist to review the compliance of your privacy notices (or if you would like us to create this for you just let me know!). The updated guidance can be found here.
Don’t forget we have a range of resources in our Compliance Resources Library to help save you time whilst complying with GDPR.