In the months running up to its implementation, there was a great deal of confusion surrounding the GDPR’s requirements, and this has led to a situation whereby many businesses are now operating without feeling certain that they comply with the rules.
Moreover, it is crucial to remember that GDPR compliance must be maintained over time and no organisation can afford to assume that the measures that they have taken to-date will ensure compliance indefinitely.
It was certainly the case that in the weeks leading up to the enforcement of the GDPR, there was a sense of panic. This was a regulation that was going to affect virtually every business in the country, and many simply were underprepared for it. This was highlighted by the flood of emails residing in individuals inboxes in the days immediately prior to the GDPR deadline asking them to re-consent to receive marketing.
It was subsequently revealed that many of these emails were actually unnecessary and potentially illegal.
Unfortunately it is still the case that the GDPR is poorly understood. Many organisations still do not possess a full understanding of the personal data that they process and the steps needed to safeguard it.
Additionally, there is confusion surrounding the right to be forgotten. A key aspect of GDPR is that individuals have the right to request the deletion of their personal data when there is no longer a ‘compelling reason’ for it to exist.
Nearly two-thirds of organisations were unsure if, upon complying with deletion requests, individuals’ data was comprehensively removed from all systems
However in a survey, nearly two-thirds of organisations were unsure if, upon complying with deletion requests, individuals’ data was comprehensively removed from all systems. The vast majority of GPDR emails that were sent to establish marketing consent could have been avoided, as companies could have relied on other grounds, such as legitimate interest.
If your business was one of those that took appropriate steps to comply with the rules of the GPDR before 25 May, you might believe that you can relax and can put the rules to the back of your mind. But compliance is not a one-time exercise, and if you want to stay within the law your company needs to constantly reassess its security procedures and practices.
Additionally, some businesses make the mistake of believing that Brexit will affect the GDPR – perhaps that the legislation will cease to be the law after the UK leaves the European Union. Brexit is no reason to assume that these new rules will cease to apply, however.
Firstly, the UK is not scheduled to withdraw from the EU until March 2019, so GDPR compliance will be required up until this date anyway. But furthermore, the UK has passed its own legislation, known as the Data Protection Act 2018 which will continue to maintain and enforce GDPR standards after Brexit occurs.
There are many factors that can influence organisations’ ability to maintain GDPR compliance. For example, as businesses grow, it is natural that they will incur increased levels of data processing. With these increased levels comes an elevated risk that something can go wrong.
It is also important to consider that the interpretation of the law may change over time. Grey areas in the regulation will be challenged– so your business will need to stay up-to-date with the latest developments.
Additionally, while you may have taken the time to inform your current staff about the GPDR, it is also important to factor GDPR training into your onboarding process and make sure that new staff members understand the rules and their roles in maintaining compliance.
There are many actions that your company must make to maintain its compliance with the GDPR. It is important, for example, to regularly assess controls, procedures and policies within your business to keep them up-to-date and to help guide future investments. Investment in cybersecurity will continue to be key as poor cybersecurity can lead to data breaches.
Finally, if you are struggling with the GDPR and feel confused by the rules and how they apply, seeking advice from data protection experts can help to ensure your business stays on the right side of the law.
