Gillian Scribbins, data protection specialist at leading law firm Muckle LLP, rolls away the rubble and rubbish that ravaged our inboxes in May to review what really matters for businesses.
The run-up may have seemed to last for months; but in fact for many industries the General Data Protection Regulation (GDPR) had been visible on the horizon since it was passed in 2016, and for others even longer still. So after the fever pitch (unfortunately this is not a joke or a World Cup pun) of activity in the second last week of May, what has been happening in the world of data protection?
The 25 May, when the new rules launched, has been and gone. The new age of data protection law is (finally) here. It’s safe to say that the run up was mildly comical; a combination of dawning awareness and sheer panic meant we all saw swathes of privacy update emails: some good, some bad, some altogether unnecessary. The European Commission released a statement calling personal data the gold of the 21st century. Comedy memes abounded.
The upshot of this of course is that GDPR is now in the public consciousness, which was, you might say, much of the intention. The Information Commissioner’s Office (ICO) will find this public discussion of data protection a great springboard for their new ‘Your Data Matters’ campaign, which uses a cartoon fingerprint family to help visualise the personal data rights we all have, as individuals.
Launched at the annual ICO conference in March (a hotly anticipated and sold-out event this year), the Your Data Matters campaign is aimed at members of the public, to inform us of how we can control our own personal data, and the requests we can make to any organisation that may hold this personal data.
The ICO’s GDPR blog on 25 May, rather than lauding the new enforcement, spoke solely about this focus on protecting the data subject, and says: “The GDPR gives people more and stronger rights when it comes to their personal data. Your Data Matters will help people understand how they can exercise those rights.”
What we didn’t see on 25 May, as many were anticipating, was a huge push of this campaign. Although it is sitting pride of place on the ICO’s homepage, where it links to detailed explanations of our rights and how to exercise them; @ YourDataMatters has its own Twitter account; and it is being co-hosted by large consumer organisations.
The blog reported that ‘the ICO has collaborated with a range of public and private sector organisations to produce publicity materials that can be used by anyone wanting to spread the message to their customers or clients’. But so far these organisations, the likes of Barclays, BT, Comic Relief and the Department for Culture, Media & Sport, have been seemingly quiet on personal data rights.
Similarly we are yet to see any evidence of the rumoured mass subject access and right of erasure requests; and enforcement actions of course will take time to come through, with many waiting cautiously to see where the first increased fines will strike.
In short what this means is that the 25 May was exactly as Elizabeth Denham, the UK Information Commissioner, said – ‘just the beginning’.
GDPR responsibilities don’t suddenly vanish now the 25 May has passed, although we suspect for many organisations, data protection may have slid back down the priority list on the agenda.
Compliance is an ongoing task that requires regularly reviewed and updated procedures, security measures, privacy notices and data protection polices; a living, well-maintained record of a data processing document; and routine staff training.
What we have seen is an increased push of the guidance available for organisations to aid this continued compliance and awareness. The ICO have issued more sector-specific guidance for microorganisations, who they recognise may not have the resources to manage or fund their own compliance projects. They have also turned some of their focus to establishing codes of conduct and certification schemes, which could in time potentially supersede measures which are currently considered compliant.
For anyone pushing it under the rug now the 25 May has passed, be wary, GDPR is a new way of working, not a 2018 project to be shelved.