The introduction of the EU’s General Data Protection Regulation (GDPR) in May last year imposed sweeping changes to how organisations are required to handle personal data, while giving greater protection and enhanced rights to individuals. Organisations are advised to ensure that they have the robust frameworks in place to stay in compliance with the new regulations—contravening GDPR can result in enforcement action by the Information Commissioner’s Office, including large fines, and even prosecution.
John Bowman, former lead negotiator for the UK government’s Ministry of Justice on the GDPR, and now Senior Principal, Promontory Financial Group, spoke to Legal Insights Europe about how organisations have been impacted by the introduction of the new data protection and privacy regulations.
How have businesses and the legal community adjusted to the introduction of the GDPR?
The GDPR certainly captured the public imagination at the time of its launch in May last year, particularly when people received hundreds of emails containing updated privacy policies and renewal of consent to marketing requests.
At the time, many businesses were undertaking work to prepare for GDPR and there was great pressure to complete that work before the go-live date on 25 May 2018. Since then, many companies have focused on completing their implementation activities, but have also considered how privacy and data protection can be more effectively integrated into their business models.
This has included establishing privacy governance frameworks, making key hires including recruiting data protection officers and deploying technology to manage processes more efficiently, such as responding to data subject access rights requests. Although activity may not be as frenetic as it was in the first half of 2018, companies are taking their obligations seriously and will no doubt be monitoring key enforcement decisions as these emerge under the GDPR.
Is there now greater clarity on what the GDPR means in practical terms and its impact?
Yes, there is now greater clarity on the GDPR. Guidelines have been issued by national data protection authorities (DPAs) and the European Data Protection Board (EDPB) which provide greater clarity about the practical application of the GDPR. Statistics from the European Commission show that by January 2019 over 95,000 complaints had be filed with DPAs with over 250 of these being of a cross-border nature. What this means is that the business of managing privacy in many organisations has grown and that companies need to be responsive to the complaints and enquiries they receive.
As well as referring to official guidelines, there is a range of ways that companies can gain further clarity on the requirements, for example through attending training courses or conferences and drawing on subject matter expertise from internal or external advisors. As experience of working with GDPR grows, then further good practice will emerge from the professional privacy community.
What can organisations do to ensure they are maturing their compliance model?
Organisations should ensure that key stakeholders and decision makers are engaged with and support data protection and privacy compliance. GDPR, in particular, has horizontal effect across most organisations and there is barely a customer-facing, compliance or administration function that does not require the processing and therefore the protection of personal data.
In order to embed and mature data protection into their compliance models, organisations need to build and maintain their business case for privacy. For many, GDPR would be a starting point from which compliance can mature and there is always more to do, whether it is refining systems to manage compliance or raising awareness and providing training for staff.
What do you see on the horizon for data privacy and GDPR?
Work will continue on GDPR implementation, but other developments to keep an eye on include the forthcoming EU ePrivacy Regulation which will regulate electronic communications services, direct electronic marketing, machine-to-machine communications and online privacy including cookie settings. Data protection frameworks continue to emerge at a global level including new laws in California and Brazil amongst other places. In Europe, developments in Brexit should be closely monitored as the future of data transfers between the EU and the UK are dependent on the outcome of Brexit negotiations.
To summarise, privacy and data protection are constantly evolving areas and organisations are advised to keep track of key developments as they emerge._
