The GDPR enforcement date of May 25 has come and gone, but that was only the beginning.
While the last couple of months have seen a flurry of activity by some organisations to improve their Data Protection compliance by the GDPR enforcement date, the serious and important work for those organisations starts now.
Maintaining that compliance and adhering to brand new or updated policies and procedures is what really matters.
The GDPR changes the focus of privacy law by providing the individual with lots of new, and in some cases, enhanced rights to their use of their personal information. The individual is the king and the organisations must uphold the law so as to protect those individuals’ rights.
However, we have had Data Protection legislation in this country since 1988, so individuals’ personal data rights were already protected by law. What was telling about the onslaught of emails we all received coming up to May 25 was just how many organisations had been breaching our personal data rights all along!
If they had been processing our personal data legally in the first place, then why email us looking for permission to continue processing? The law in in this regard has not changed with the introduction of the GDPR – the same legal bases for processing which were always required still exist under the GDPR.
The difference is the changes brought about under the GDPR have forced organisations to take it much more seriously. Some of these changes are the risk to organisations of attracting a fine or attracting litigation from affected individuals.
Data Breaches in Ireland have been happening at an alarming rate, as is evident in the annual reports published by the Data Protection Commission (formerly the Office of the Data Protection Commissioner).
In the most recent report, published in February 2018 for the year 2017, the number of valid data breaches recorded are up by 26%. Complaints to the Data Commission increased by a huge 79% in 2017.
What these figures tell us is a) the public are very aware of their rights; and b) organisations are not doing enough to uphold the rights. While many have improved their data protection processes to prepare for GDPR, a recent survey of SMEs carried out by the Data Protection Commission showed that 52% of them had actually taken steps towards compliance. So, still a lot more needs to be done.
For those who have yet to take their head out of the sand, I predict a second round of activity as soon as the consequences of GDPR enforcement are made known.
With the Data Protection Commission now into the new era of enforcement of the GDPR, those who still need to assess and improve their data protection practices may be on thin ice. The new right of individuals to sue organisations may be the biggest threat.
We will watch the courts with interest to see what precedents are set by the judges hearing the early claims in this area. That could be enough to spark another round of GDPR compliance activity for those who have perilously ignored it so far.