Business Info - Issue 140

01732 759725 33 magazine GDPR This time last year, GDPR was the hot topic of conversation as its introduction promised to impact nearly every organisation across Europe. The regulation was introduced to strengthen personal data privacy laws in light of technological advancements and to put all European organisations on an equal footing in terms of compliance requirements. In a heavily data-driven world, GDPR was an attempt to update the law in response to the volume, variety and speed of personal data production and its global circulation. Now that the dust has settled, we can begin to look at how the regulation is working in practice. Overall, it appears that significant enforcement activity is minimal, but that’s not to say investigations aren’t taking place behind the scenes. There have been more than 50,000 data breach notifications across Europe since GDPR came into force and, here in the UK, the Information Commissioner’s Office (ICO) has received more than 8,000 notifications of data breaches since the end of May 2018. The largest GDPR fine issued to date has been the € 50 million against Over the next year, we anticipate that organisations are going to go into ‘phase two’, where they’ll look to make privacy processes more efficient and operationally effective and leverage technology to put the customer at the heart of how they approach privacy. If done right, this will enable organisations to leverage personal information to deliver great products and services, create value and gain a competitive edge. Q&A Google by the French data privacy regulator for lack of transparency, inadequate information and lack of valid consent in relation to its use of personal data for the purposes of personalising advertisements. Remember that a maximum fine of up to € 20 million or 4% of annual worldwide turnover – whichever is greater – can be imposed on businesses that do not conform with the updated regulation. It appears that transparency and consent (or the alleged lack of them) remains the most popular ICO complaint, particularly relating to the level of detail that people expect to receive.We advise businesses to revisit their privacy policy in order to make content as specific as possible. The use of data subject rights is becoming another business issue; GDPR grants individuals more extensive rights regarding their personal data which has generated a culture of individuals making repeated and extensive subject access requests (e.g. requesting emails going back many years), often simply to cause annoyance, waste time and incur costs for the data controller. In the meantime, there are still many challenges. Companies often find it hard to understand what the consumer expects in terms of data protection and to get the balance right. A further challenge is the ambiguity around how GDPR principles are interpreted. Some organisations are very risk adverse, while others interpret the requirements a lot more broadly.We will have more clarity on the regulatory ‘grey areas’ when we start seeing case law and enforcement actions being issued in Immediately after 25 May 2018, there was a surge in erasure requests as individuals sought to clean up their online privacy and security. This seems to have slowed down in recent months, perhaps due to the realisation that the right to request erasure is subject to business requirements, rather than an absolute right to have all information deleted. Finally, the last emerging data protection trend and a potentially concerning development is the increase in class action-style litigation and so-called ‘data protection ambulance chasers’. Some claimant law firms are attempting to generate business off the back of data breaches – even if the breach gives rise to little risk of damage. In order to avoid business impact and interruption, our advice continues to be for organisations to review and update data privacy documents; implement GDPR training; and assess all data flow and transfers.We also recommend reviewing contracts with third parties and putting a process in place to deal with DSARs, other requests and potential breach scenarios. www.roythornes.co.uk the next few months. In addition, there is a significant lack of technology to support GDPR – privacy tech is limited in the marketplace and most of the available technology is being delivered by start- ups. There hasn’t yet been a solution, or a group of solutions, that can be easily bolted onto an existing technology infrastructure. This remains a challenge for companies looking to implement long-term change. One year on, what has been the impact of GDPR? We ask the experts Julia Seary Mark Thompson Continued... The story so far Julia Seary, partner at Roythornes Solicitors, looks at what we’ve learnt in the first 12 months of GDPR What’s next? Mark Thompson, Global Privacy Lead at KPMG, looks at how enterprises’ approach to GDPR is likely to evolve over the next 12 months