GDPR, what next?

After the frenzy, the GDPR and the new Data Protection Act 2018 apply from today, but as Elisabeth Bell explains, those in charge of compliance won’t be breathing a sigh of relief just yet…

It is not often that a new piece of regulation generates such uproar, achieving even more Google searches than Beyoncé this week, but in heralding a new data protection standard for the digital age, the GDPR has already been a success in changing the discourse around privacy and accountability.

For many, achieving GDPR compliance will have felt like an arduous journey that delved into the deepest corners of their archives to take a long hard look at what data they are processing and storing and why.

Done right, this process has provided organisations with a detailed assessment of their operations and a renewed sense of purpose – the business equivalent of finally sorting out all those files and boxes in the spare room that you keep promising yourself you’ll do. It has not been an easy process, in addition to adhering to the six key principles of GDPR, to achieve meaningful implementation of the new regulations, the solutions have had to be tailored to an organisation’s unique practice and culture to enable them to deliver on the new requirements for accountability and transparency.

Bedding in the new policies and procedures

The media noise will die down, but for the new Data Protection officers and others in charge of compliance, the critical period of bedding in these new policies and procedures begins. With this will come a necessity to keep an eye on progress and remain vigilant about the possibility of a data breach. As Elizabeth Denham, the Information Commissioner said in a blog this week, “It’s an evolutionary process for organisations –no business, industry sector or technology stands still. Organisations must continue to identify and address emerging privacy and security risks in the weeks, months and years beyond 2018.” It is also important to mention that achieving practical GDPR compliance will put organisations in good stead for the forthcoming E-Privacy Regulations.

For those who are not quite there yet, there is still time and the ICO maintains that it’s position is to provide help first and fine in the event of deliberate or negligent use or loss of data. Our guidance throughout has been that a new privacy policy is redundant without a proper GDPR compliance policy and procedure in place and if the ICO do make enquiries, it will expect to see an auditable record of this.

Our team will continue to work with organisations to deliver compliant practice as the focus moves from the initial compliance deadline towards good data management becoming embedded in business practice and culture.