Published on August 14, 2020
We can all remember when the countdown to GDPR was front and centre with most organisations implementing strategies to ensure compliance for 25th May 2018. That deadline seems like a lifetime ago and there is a general expectation that all the points on a company’s GDPR checklist are ticked. We’re not convinced. While a GDPR strategy might be in place for a lot of companies, the on-going work is far from over. With a constantly changing business landscape and implementation of new technologies, GDPR was already the challenge that promised to keep coming back. And then Corona happened…
While for many (even before the disruption caused by COVID-19) achieving compliance has been a monumental undertaking; having done so is not a reason to take the foot off the pedal. In fact, probably quite the opposite. Think about the fact that data is being created, replicated and consumed to such an extent that one market research firm estimates that in 2020, the digital universe will reach 40 zettabytes (ZB). That’s 5,200 GB of data for every person on earth, the equivalent of 100 iPhone’s worth each. That’s a lot of data to consider and keep safe.
With technology shaping modern business and driving data growth, and with even more activity on-line during the recent outbreak, there are further challenges to consider. Can data protection processes keep pace with the growth? What will the GDPR timeline look like as the process evolves?
We take a look below at the progress so far and the likely future state.
Clarity and a focus on data
In the months following GDPR go-live we saw some clarity and guidance from regulators around exactly what needed to change within organisations in order to be compliant. At the same time, the idea that GDPR was going to be another “Y2K’ was dismissed. We saw a high-profile company or two experience a breach and thereby fall foul of the regulation, which focused everyone’s attention.
We encouraged businesses to keep the focus on GDPR, data and how it’s managed – making sure it was not seen as a one-off event. Our core message was - not knowing what data that you have or its location is not an acceptable position to be in, and will expose your business to potential penalties or reputation damage further down the line. Personal data has to be looked after in a pragmatic and suitable manner, which relies on technology, process and cultural change within the organisation to make it happen.
On-going training for GDPR
Once GDPR was in force businesses faced a broader range of legal, financial and reputational risks associated with not complying with the regulation. On-going compliance training was (and still is) key to ensuring employees are aware of the new rules on personal data management, while also increasing accountability throughout the organisation. Training helps employees stay aware of potential compliance impacts when making decisions, particularly those involving the handling of data. We know a one off training session isn’t enough; companies needed to introduce a comprehensive, on-going training strategy to address GDPR.
GDPR and Cybersecurity
On balance we saw after some initial false starts and a few last minute changes that GDPR implementations had become a good starting point, however companies recognised there was certainly work to be done and additional clarification needed in some areas. The area causing most concern in many industries was the monitoring of the security of their own enterprise data.
Signs emerged that large organisations may have been looking for clever ways around GDPR. This is hardly surprising, as some of these organisations’ entire business model is based on selling or manipulating consumer data. One interesting sign about some organisations’ treatment of customer data was the trend towards sending more and more unencrypted data back to the browser to be presented at each new session. This means the organisation does not “hold” the data, and allows them to get permission from the user in one “we use cookies” message.
The summary at this stage was that if an organisation was doing the right thing – for the benefit of users or customers – and taking steps to protect its data, it should be OK. With any new legislation there will be a period where things are tested and there were some interesting public law suits and disputes. But once the dust cleared most people started to think that data was in a better, safer place.
Firms start to get their GDPR ducks in a row?
As time went on, and the impact of complying with the new regulations became better understood, companies placed ever-tighter restrictions on who could access their data, where they could access it from and restricting what they could do with it. We saw companies ramping up, frantically bolstering existing data focused security policies to ensure they would pass muster should the ICO come calling. Some companies were well prepared at this stage but not all. Contractual updates with outsourced providers to cover GDPR obligations often lagged well behind the regulatory framework and business practices.
RegTech is booming post-GDPR
Regulatory Tech – or RegTech as it’s more commonly known – is a term created by the Financial Conduct Authority. Essentially it is about developing technology that can help financial firms to better comply with regulations and track their on-going obligations. GDPR has serious teeth in terms of the changes that organisations need to make, and the financial penalties should they fail to comply. RegTech can help in many areas related to GDPR but one good example is around voice. If you consider how much personal data is held within telephone calls to companies you can begin to recognise the challenges in this space. Technology has responded and is able to help analyse the important data, categorise it, store it and make it searchable. RegTech will continue to evolve and assist in this space and companies who embrace this will perform better in the long run.
2020 - The Corona Effect
Then came along the Corona virus challenge, which is a risk to GDPR in most organisations. During the early part of the virus the ICO said that they would not be looking to enforce requests for data from companies if they were taking longer to fulfil due to Covid impacts. On the other hand they said that they expected staff working from home to adopt equivalent measures for data protection as they would in the office! This has spawned a whole news set of challenges for employers and employees alike. With the prolonged nature of the impact of the virus now clearer the ICO have now moved back towards BAU and are looking harder at companies’ performance against their legal obligations.
Most interesting is the potential for long term changes in the way businesses run, and the impact that might have on GDPR practices. How can businesses adapt if most of their staff are not in the office? What about if some of their staff are not even in the country? Is it safe to discuss or share potentially sensitive information on the virtual meeting space your company uses? As in many aspects of work, Covid seems to have accelerated changes which otherwise might have taken years or decades to come about incrementally. We seem to be entering “GDPR 2.0” where companies will again look for more clarity from regulatory bodies to understand their responsibilities.
Looking ahead
Now that GDPR is fairly well embedded we expect companies of all sizes will continue to make changes over the next 3, 6 and 12 months. One thing we anticipate seeing more of is the adoption of practices to enable teams to have the right visibility, security and compliance resources for the future. Automation in this area helps to prevent human error in access protocols, and streamlines workflow. This will be critical for maintaining compliance on an on-going basis.
While the compliance deadline may have passed, it seems that the journey for many companies is still on-going. In a recent post we highlighted how the ICO are having difficulty in making the full force of their enforcement powers stick in the courts but I can assure you that even 11% of £183 million fine for British Airways would not have gone down well at the Board meeting.
As we see consumers taking more interest in how their personal data is being used it is clear there will be significant changes ahead in terms of business practices, training and technology to help address the regulation. While the specifics of these changes may still be work in progress it is clear that businesses are on a path towards compliance and a new approach to data protection.
This is a changing landscape and we welcome the opportunity to discuss where you are on the time-line and how we can help you shape and evolve your GDPR plans in the most efficient way.
