By Seán O’Halloran
The first anniversary of the General Data Protection Regulation, on 25 May 2019, was a low key affair, particularly when contrasted with the furore leading up to its launch.
Flooded inboxes and the widespread sense of panic ahead of the implementation date last year undoubtedly increased awareness among both individuals and businesses about data protection obligations. However, one year later many businesses are still not in compliance with the GDPR (and the related Data Protection Act 2018) or have done the bare minimum to comply. This is a risky proposition. GDPR compliance goes beyond merely keeping procedures and documentation up to date or dealing with data subject access requests. Instead, a holistic approach is required.
Need to demonstrate compliance
One of the key changes introduced to data protection law by the GDPR is, what the EU’s European Data Protection Supervisor terms “the integration of accountability as a principle”. In plain English, this means that the GDPR requires organisations not only put in place appropriate technical and organisational safeguards to protect personal data but also be able to demonstrate what they did and the effectiveness of same when called upon by the Data Protection Commission. This requirement to demonstrate compliance means that businesses must maintain a proactive approach to ensuring any personal data processed in the ordinary course of business is securely and adequately protected.
In addition to the requirement to demonstrate compliance, the GDPR also introduced the data protection impact assessment (DPIA). GDPR compliance requires a DPIA be carried out where a type of data processing, in particular using new technologies, is likely to result in “a high risk to the rights of individuals”. Owing to the large amounts of rights individuals have in the GDPR alone, organisations must be extra conscious of how a new way of doing business would impact on personal data. For example, where will a new cloud-based storage system back up your customer data? How secure is it? Will a data processing agreement be required? Can you restrict processing, if required to do so? Will you be notified of data breaches?
Focus on risk
As with any form of compliance, data protection is a risk management issue. As such, prevention is better than cure. Addressing a few key areas can significantly reduce the risk your business faces. Accordingly, we recommend that clients keep their privacy policies and data security procedures under regular review so that you might identify any further changes which ought to be made.