What's happened so far?
Despite all the scaremongering, we have not seen any fines yet. This is understandable, since many regulators are still dealing with issues pre-dating GDPR. It's also been clear from the outset that fines will be something of a last resort. We are only likely to see serious fines following detailed investigations, which take time, particularly given the pressure regulators are under with limited resources.
A further factor may be the steps that the majority of businesses have taken to comply with GDPR. Across the board, privacy notices appear to be more transparent and consent forms more robust. Whether the same businesses are as compliant behind closed doors is another matter.
But businesses should not get complacent – there will be fines. All the warning signs are there for those who know where to look:
- People are exercising their rights more than before. Dealing with these requests in a timely manner can be time- and resource-intensive. Expect regulators to look closely at any business consistently failing to meet their obligations.
- Regulators have been flooded with breach notifications. The numbers are so high in fact that we have heard some noises from various regulators that businesses are notifying too much. With a regime where over-notification suffers no penalty, but failure to notify could incur a fine, who can blame businesses for taking this approach.
- The number of complaints being made has also increased, and regulators are already dealing with huge backlogs. Therefore, businesses should prepare for the possibility that some of the complaints already filed could be about them.
Time to take stock of what was done pre-May 2018
In the rush to get 'something in place', businesses can be forgiven for not having properly road-tested the "GDPR solutions" that they implemented. Some may be too complicated or onerous for businesses to maintain day-to-day. Examples might include the eye-wateringly complicated Article 30 record that now needs to be kept up-to-date, or the 25-step 'online DPIA solution' which is grinding day-to-day operations to a halt. Solutions like these are not only ineffective compliance measures – they are compliance risks.
With over 100 days now passed, businesses should look critically at the measures that they put in place before the GDPR deadline and see if they are fit for purpose. Some practical ways to do this might include:
- Conducting practical testing. The best way to check if a security breach notification policy works is to simulate an incident on a Friday evening. This won't be popular with those affected but it can be a very worthwhile exercise.
- Asking for honest feedback from the team members with day-to-day responsibility. Very often those on the ground will know when something is not working and have suggestions on how it can be improved.
If issues are identified, businesses shouldn't be afraid to change their approach. Some options might be:
- Considering whether the same level of compliance could be achieved by cutting away the complexity and keeping it simple. For instance, a compliant Article 30 record does not need to look like a comprehensive data inventory or the results of an extensive data mapping exercise.
- Identifying areas where technology can assist. There are lots of great software solutions out there so be sure to get one that addresses a specific business need. You don't always need the Rolls Royce version. Always try before you buy and ask for references.
What to expect in the next 100 days
While nothing is certain in the world of data protection, we can expect to see:
- More enforcement and potentially the first big fines. Businesses should be ready to tell regulators their GDPR compliance story.
- Contractual disputes between controllers and processors over what the agreements, which were signed frantically before 25 May, mean in practice.
- More heated discussion on the ePrivacy Regulation and how it will work in parallel with GDPR. Whatever happens in this area, anyone doing business online should be prepared for more significant changes in the next couple of years.
- International data transfers to hit the headlines again in the form of Privacy Shield, Brexit and Schrems. We do not expect the relative stability of the last year or so to last.
Steps businesses should now be taking
Here are some key steps for businesses to consider during the next 100 days:
- Try to maintain the internal GDPR compliance momentum and support of management that was built up pre-May to continue to refine internal processes and improve levels of compliance. This might include providing short monthly updates to the board on key risks and resource needs, or running informal refresher training for staff. There is still a lot to do and you will need the help.
- Go back to the pre-May GDPR to do list. No one ticked every box on their list pre-May. Completion of that list should now be a top priority.
- Keep abreast of regulatory developments and enforcement action. Adapt your practices to bring them in line with regulators' expectations.
- Do not be afraid to change what is not working for your business. Now is a good time to take a close look at what was put in place pre-May and ask if it's working or if it could be improved.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.