GDPR: 2 years on – “I’ve updated my privacy policy; I must be compliant.”

May 2018 saw one of the biggest changes in data protection history across Europe, and the rest of the world; the General Data Protection Regulation, more commonly known as the GDPR. Just like cyber security, data protection has now found itself a place on the agenda in the majority of boardrooms as requirements have led organisations to discuss the importance of the data they process. This includes methods of collection and storage, how the data is used and shared and more importantly, protected.

With the thought of a potential fine looming over the heads of business executives the protection of data is an important discussion to have. With issued fines comes the risk to reputation and brand, along with a news headline shining the spotlight.

Technology has moved forwards rapidly, and we will never see a backwards shift. It is evident that several organisations have taken a proactive approach by conducting comprehensive reviews of existing data protection management programmes to ensure the safety of their data – an asset – is up to date. On the other hand, we have seen organisations take the reactive approach following a news breaking headline about their organisation, to then address the importance of data protection.

Two years on and people are still asking: “what are the key changes that come with this (not so new) legislation?”. Here’s a list:

  • Fines; the GDPR allows for organisations to be fined up to 4% of annual global revenue, or €20 million – whichever greater, dependent on severity of a data breach.
  • Extra-territorial scope; GDPR will apply to organisations within the EU, even if the processing does not take place within the EU.
  • Data Subject Rights; data subjects now have more rights than ever under the GDPR. Access to their data, the right to be forgotten, and the rights to data portability and so on.
  • Consent; organisations must gain consent to process the personal data of data subjects. Out with the legalese, in with basic English.
  • Breach notification; where a data breach “results in a risk for the rights and freedoms of individuals” the breach must be reported without “undue delay”, and, where possible within a 72 hours period, to the relevant Supervisory Authority.

It is important to note that a lot has changed since April 2016 when the GDPR was agreed, to its implementation in May 2018. Following the United Kingdom’s exit from the European Union, the GDPR will still apply until the end of the transition period.

What does this mean for data protection in the UK going forward? The answer: nothing major; the UK Government plan to introduce the UK GDPR.

Though no longer a serving member state of the Union, the UK will seek what is known as an “adequacy agreement”, which gives businesses permission to exchange data between the EEA and the UK. This is expected to be agreed during the transition period, though, watch this space. Just think of the adequacy agreement between the EU and Japan.

Two years on from the implementation date, it is safe to say that we did not expect to find ourselves in the middle of a pandemic with entire workforces remote working. This has encouraged businesses to think about how they can ensure that data is kept safe and secure outside of the corporate network; a new challenge to that of within the office.

Our advice? Conduct best efforts to ensure your remote workforce has the appropriate digital protection, consider how devices are kept up to date. Ask yourselves, do your employees have a secure home network; are they aware of Covid-19 related scams (phishing, smishing, etc.); do they know what is expected of them whilst working from home from a cyber security perspective? Continue best practice and if ever in doubt, we are here to help.