GDPR became enforceable on 25 May 2018. Unless you’ve been living under a stone for the last couple of years, you knew that already. So, how have we fared over the last year or so?
1. Business as usual. Sort of
GDPR arrived and the sky didn’t fall on our heads. Some have said this is like Y2K. This is ambiguous though. To some it means they addressed personal data before the deadline by reviewing their use of data or by rolling out new systems to help make them compliant. To others it means they didn’t act or didn’t need to act and nothing happened anyway. Somewhere in between those two is where the truth lies. If you already took personal data seriously then preparing for GDPR wasn’t a massive upheaval. Otherwise, you were (or still are) in for a shock if (or when!) the Information Commissioner’s Office find out what you’re doing.
2. Increase in breach notifications
GDPR requires you to report data breaches as soon as possible and generally within 72 hours. Unsurprisingly, the ICO have seen a spike in the number of people telling them about data breaches. Clients who have suffered data breaches have called me asking me what to do. Aside for advice on how to address the breach, they often want guidance on whether to report the breach. GDPR requires you to notify unless it is “unlikely to result in a risk to the rights and freedoms” of the people concerned. And the ICO have clarified they don’t want to hear about all breaches. Given the short timescales for notifying and the fact that not all breaches can be successfully investigated in 72 hours, some clients conclude it is better to err on the side of caution and notify upfront, even if they later get back in touch with the ICO to say it wasn’t a high risk after all. That’s probably better than not reporting and get into trouble that way, especially as the ICO won’t tell you whether you should report your particular breach. Obviously it depends upon the breach and who and what has been affected.
3. Increase in subject access requests
There has also been an increase in the number of people requesting their data. Again, no surprise. It often consists of a terse email saying “I want to exercise my rights under GDPR and see all my data”. Some organisations took steps to address GDPR in advance, meaning they assessed their use of personal data, deleting data that was no longer necessary or up-to-date. They are now better equipped to deal with subject access requests, from ensuring they recognise the request when it first comes in, passing it to the relevant team, to assessing what data to disclose and then disclosing it.
4. Increase in ill-informed complaints
Of course, some organisations just couldn’t help themselves and blindly followed the crowd and embarked on massive “re-consenting” exercises in an attempt to legitimise their B2B marketing database, forgetting about PECR. Those organisations then found they have had to delete most of their database as the recipients didn’t opt (back) in. They have to be careful about contacting those individuals again.
On the other side, I’ve also seen an increase in the number of clients who have contacted me who have received ill-informed complaints from individuals. These generally fall into two categories:
Those who object to receiving a marketing email: “I never signed up for this email. You’re in breach of GDPR and I’m going to report you to the ICO“. However, PECR allows you to send unsolicited emails to corporate accounts.
And those who just want you to forget they ever existed: “I want you to delete all my details and forget me.” But, the right to erasure (aka the right to be forgotten) is not absolute and organisations can still hang onto the data if they have a lawful ground for doing so.
5. Increase in data processing agreements
If you’ve done everything in your power to become GDPR-compliant then it’s only natural that you’ll want to flush this through your supply chain. This has seen an increase in the use of data controller to data processor agreements. The current average is for 5-10 pages of legal speak. Others — often from German lawyers — are the law drafters’ equivalent of War and Peace: a fine literary achievement but does it really have to be so long?!
On other occasions, a controller-processor agreement isn’t appropriate. If you’re a data controller and you’re sharing personal data with another organisation who will become controller of that data, there’s no point treating them like a processor telling them what to do. In fact, not only will they want to make their own decisions, they will want you to reassure them that you have jumped through the relevant hoops to be able to pass them the data for them to use as agreed.
It has also seen an increase in the use of the model clauses (the EU Commission’s standard contractual clauses). But these were drafted before GDPR. Oh and they’re subject to an impending challenge.
6. Increase in Brexit fears
Some people persist in their belief that Brexit will kill GDPR. It won’t and readers of this blog know this as I’ve written about it many times. Even so, some clients are looking at ways in which to keep the data local, for example, a UK cloud for UK customers / data subjects. This means local standards will apply, whatever those standards turn out to be in the future and you don’t need to worry about transfers.
7. Increase in enforcement?
There’s no doubt the ICO are busy investigating misuses of data under GDPR. But here in the UK we’ve not seen an equivalent of the €50m Google fine in France. That’s maybe why some compare GDPR to Y2K. But the ICO always said they wouldn’t simply massively increase the level of fines under GDPR. They continue to issue fines and are using their other enforcement powers, including prohibiting further processing. Just because they haven’t yet, doesn’t mean they won’t. UPDATE 11/7/19: ICO finds its feet with GDPR fines
Got GDPR questions? Get in touch: email@example.com