We can hardly believe it’s been 12 months since the General Data Protection Regulation (GDPR) came into force.
Do you recall what life was like in early 2018? GDPR was all anyone could talk about. A glut of emails landed in our inboxes – every single day – asking us to opt in to receive marketing communications. Businesses scrambled teams to ensure compliance. We lived in a bubble of willingly accepting website privacy policies just to get rid of the annoying pop up windows that greeted each visit.
It may have been irritating at the time, but there was, and still is, a very valid reason for the introduction of GDPR. The regulation is designed to give the consumer greater rights over their own personal data; increased transparency and choice over how companies use it. Now GDPR is written into UK law, organisations are responsible for handling and storing customers’ personal data securely. This includes HR records such as CVs and job application forms, employee bank details and personnel files. The potential fines for data breaches stand at 4% of turnover or €20m, whichever is highest.
High profile cases
When it comes to data breaches, we’ve seen some high profile cases in the news since May 2018. Google was handed a €50m fine for breaching advertising rules around consent for personalisation, and Facebook fined £0.5m for data misuse. A further investigation into Google advertising is currently being carried out in Ireland.
GDPR applies to all shapes and sizes of business
It’s become apparent to us throughout the course of our work that many small and medium sizes businesses still don’t understand their responsibilities under GDPR. Many believe the legislation is aimed at large, multinational organisations.
The reality is the law applies to every organisation with a base in the UK. Whilst the test cases mentioned above feature global brand names, fines can just as easily be levied against a micro business.
The Information Commissioner’s Office (ICO) saw complaints about data breaches increase by more than 160% in the first 6 weeks after GDPR came into force. Consumers seem to be savvier as to their rights under the legislation.
To help us understand more about how the business landscape has changed, we caught up with John Miller from Smarter Technologies. He’s given EML, and our clients, invaluable guidance on GDPR compliance.
How has GDPR changed the way businesses manage data?
Organisations have had to implement a more structured approach to data management, which has helped to streamline business processes. They’re now much more responsive to removing you from mailing lists, for example. However, there’s still a distinct lack of awareness around the approach to safeguarding data and consumer rights to access their own personal data. Some business owners I speak to are surprised to learn that photographs and facial recognition technology are subject to data protection rules.
Only last month we saw an incident in London in the news. During a Police trial of facial recognition cameras in a public space, one man tried to conceal his face from the camera. There were scuffles and he was fined £90 for swearing at officers. Protesters against the use of facial recognition technology are unhappy at the lack of regulation around its use. It’s an interesting area of debate that I think we’ll see continue this year.
What should businesses do if they know they’re not compliant?
I still meet people who have never heard of GDPR! At least 20-30% of SMEs I’ve spoken to haven’t implemented any new processes or procedures to manage data. If you fall into this category, my advice would be to start with an audit of all the data you hold. There’s plenty of guidance on how to do this the ICO website. An honest, independent assessment is always valuable. If you have a strong relationship with a company like EML, have a chat with them and they will point you in the right direction.
Do you think GDPR has been a success or a failure?
Organisations are using data more effectively. Systems and processes are more secure and companies have better quality mailing lists as a result. GDPR has led businesses to question why they are storing certain types of data and look to find efficiencies in their processes. For all these reasons, I think it’s been a success.
What would be your one piece of advice to businesses that manage personal data?
To always treat other peoples’ personal data as you would treat your own – with complete care and attention.
Has GDPR changed the way your organisation works? Is it time you reviewed your policies and procedures in line with data protection regulation? Contact us to arrange a no-obligation chat about our policy and procedure review service.