Risks of GDPR are here to stay
Panic over! It’s now nearly four months since the introduction of GDPR and the world as we know it hasn’t come to an end. Phew, we can relax and get back to normal.
So say, it would appear, some leaders of businesses and organisations who view the introduction of the EU’S General Data Protection Regulation on 25 May as a one-off “Millennium bug” type event which will soon be confined to the annals of history. This is the wrong conclusion and a very risky strategy.
With the Information Commissioner’s Office (ICO) revealing that complaints more than doubled between 25 May and 3 July compared with the same period last year, it seems evident that GDPR is leading to a significant rise in the numbers of individuals making complaints about misuse of their personal data and organisations selfreporting personal data breaches.
At Really Good Data Protection (RGDP), we provide data protection advice and data protection officers (DPO) to organisations and businesses that have chosen to outsource their data protection requirements in response to GDPR. Our own evidence supports the ICO’S findings, which mirror the number of “subject rights” requests being received by our customers and the number of personal data breaches they are recording and reporting.
The latter indicates our customers are now recognising the importance of highlighting such incidents. However, even for organisations that are fully aware of the seriousness of the new laws, compliance can still be a challenge.
We have also been struck by the amount of staff time, effort and associated financial and opportunity costs that GDPR is causing businesses and organisations as staff are double-hatted or diverted away from their core business to deal with compliance. Equally striking, it is apparent from the content of website privacy notices and marketing options that some firms have either ignored or simply don’t understand GDPR requirements.
When appointing a fulltime DPO or giving the responsibility to an existing staff member is neither possible nor appropriate, outsourcing can be the ideal solution. A specialist provider can deliver a DPO with the necessary skillset and degree of independence, who will remain up to date with the latest regulatory requirements and best practices. The business can buy in as much or as little support as required, while focusing on core activity.
The reality is that GDPR and related legislation such as the Data Protection Act (2018) and the Privacy Electronic Communication Regulations, which will be replaced by an eprivacy Directive, are not going away, even when the UK leaves the EU. So, for organisations failing to comply with these regulations, the risk of potentially significant ICO fines and consequential reputational damage remains high.
Mark Chynoweth, general manager, Really Good Data Protection