Time for a GDPR spring clean?
Fiona Anthony is a solicitor at nplaw, a public sector shared legal service based in Norwich advising local government, public bodies and charitable institutions. Here, she advises a spring clean when it comes to GDPR compliance…
My most memorable date of 2018 was 25th May. It wasn’t a big birthday or an anniversary, a holiday or a celebration – the sad fact is that it was the day the GDPR and the Data Protection Act 2018 came into effect. There had been a huge build-up to that point and, in the months beforehand, we had been preparing for the big day, delivering training sessions to packed rooms and checking policies, privacy notices and cookies (regrettably not the ones with chocolate chips in). There was plenty of concern about what the new regime would mean but very little reliable guidance.
We reassured clients that the new data protection laws were intended to be “evolutionary not revolutionary” and would build upon good practice. If organisations were doing it properly beforehand, then it wouldn’t be a huge leap to get it right afterwards.
The creation of GDPR wasn't an end point
It was tempting to think that we could get that date out of the way and then relax - but the Information Commissioner was having none of that. Writing in her blog at the time, Elizabeth Denham said: “The creation of the Data Protection Act 2018 is not an end point, it’s just the beginning, in the same way that preparations for the GDPR don’t end on 25th May 2018 …we all know that effective data protection requires clear evidence of commitment and ongoing effort.”
The Information Commissioner’s Office (ICO) certainly hasn’t relaxed, issuing helpful information on its website on an almost monthly basis including some myth-busting blogs and a Guide to Data Protection (published in December 2018) explaining the basic concepts.
With its regulatory hat on, the ICO has taken a more relaxed, pragmatic approach, recognising that it will take organisations time to embed policies and understand how the new regime will work in practice. No huge fines have been issued in the UK to date (except under the 1998 Act) and enforcement action has been slow to materialise. Yet the ICO’s breach-reporting helpline has been kept busy by some controllers 'over-reporting' perceived breaches, as many organisations are being unduly cautious or misunderstanding what needs to be reported.
Over in France in January, Google was handed a €50 million fine – the biggest to date under the new rules – for failing failed to provide enough information to users about its data consent policies and not giving them enough control over how their information is used.
Parliament here has been busy too with the snappily titled Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 tabled in January 2019. These regulations amend the Data Protection Act 2018 and create a new UK version of the GDPR to ensure that the legal framework for data protection within the UK continues to function correctly when/if we Brexit.
So, what has your organisation been doing on the data protection front since 25th May? If the answer is “not much”, then it’s probably time to have a spring clean. My top tips are to:
- Look at the ICO’s website for useful resources
- Check whether your policies and notices still make sense, whether they need to be updated and whether they are being complied with.
- Think about the data you hold and consider whether you really need it all, whether it is out-of-date or should be destroyed.
- Make sure you train new staff as they arrive, provide regular refresher training and make sure it’s practical and relevant to their needs. For me, the key to having good data protection practice and compliance is having staff who understand what it’s all about.
- Capture learning from mistakes. If things go wrong (including any “near misses”), learn from the experience and make sure it doesn’t happen again.
This year, I’m hoping for a more peaceful 25th May!
nplaw’s website can be found at nplaw.co.uk