Date Published 13 May 19

GDPR one year on: key trends and challenges

There are a number of key trends and challenges emerging since the GDPR (General Data Protection Regulation) came into force about a year ago. As the ICO (Information Commissioner’s Office) gets tougher on non-compliant organisations and data subjects become more aware of their rights under the Regulation, it’s clear that data privacy and cyber security must be at the top of every organisation’s agenda, and appropriate technical and organisational measures put in place to achieve privacy by design and by default.

A key factor in achieving this is embedding a culture of privacy in your organisation, which is embraced by everyone and is at the heart of its operations. The road to achieving effective privacy by design is not without its challenges, however. Over the past 12 months, the team at GRCI Law has helped a wide range of organisations with their data privacy requirements. We’ve pulled together some of the key trends and common issues from the past year.

Desperately seeking DPOs and Data Privacy Officers

With the enactment of the GDPR, it was clear there’d be a high demand for experienced DPOs (data protection officers) and Data Privacy Officers. A talent gap of people with the right skill set and with the ability to act at board level is emerging. Cost and scarcity of experienced professionals is an issue for many organisations. The full picture is still emerging, but we’re seeing some organisations appointing internally and asking for support while they upskill, others outsourcing their entire data privacy function, and some paying premium rates for highly experienced professionals. GRCI Law has been advising on the full range of data privacy issues, including:

  • Designing and implementing holistic data privacy solutions;
  • Dealing effectively with data breaches and the aftermath, including when and how to report them;
  • Dealing with DSARs (data subject access requests); and
  • Best practice, current trends and how to embed a privacy by design culture.

Reportable vs non-reportable breaches

Our team has advised on and helped clients deal with 159 breaches within the past year. In line with what the ICO is saying, many organisations don’t know how to differentiate between breaches that should be reported to the ICO, and those that shouldn’t. In a speech at the CBI Cyber Security: Business Insight Conference last September, the Deputy Commissioner, James Dipple-Johnstone, said that many organisations are over-reporting in order to be transparent, to manage the perceived risk, or because they think everything needs to be reported. As a result, the ICO has been inundated with breach reports – up to 500 calls a week between May and September last year alone.

It would seem that, with the ICO’s resources at full stretch, it has not yet been able to turn its full attention to assessing reported breaches or issuing enforcement notices/penalties under the GDPR. However, organisations should be under no illusion that a lack of action so far is a sign of weakness from the ICO. It is still maintaining a record of reported incidents and is very clear on what organisations should be doing to prevent data breaches. As Dipple-Johnstone said: “If you adopt privacy by design, treat cyber security as a boardroom issue, and demonstrate a robust culture with appropriate transparency, control and accountability for your and your [customers’] data, then we will not usually have an issue with you should the worst happen.”

The UK picture on data breaches is reflected elsewhere in Europe. According to Digital Guardian, between 25 May 2018 and 28 January 2019 (Data Privacy Day) there were almost 60,000 reported data breaches across EU Member States, with the Netherlands topping the chart with 89.8 breach notifications per 100,000 people. Ireland was second with 74.9, and Denmark third with 53.3. The UK managed tenth place with 16.3.

GRCI Law’s Data Breach Management team can advise on when to report and when not to, how to manage the whole data breach process and how to mitigate the risks going forward.

The team is often told by organisations that they can’t account for human error, for example when personal data is sent to the wrong email recipient because a staff member has incorrectly used the Cc and Bcc fields. However, balancing the right to privacy against the convenience of autofill on email addresses can reduce the amount of mistakes made by employees.

Organisations aren’t aware of the ICO fees

The big GDPR fines we expected this year may be a little slow to arrive, but the ICO has been busy ensuring organisations pay their data protection register fee. In 2018, 103 penalties were issued for non-payment of the fee, which could be a significant financial penalty for a small or medium-sized business, and cause reputational damage as the ICO publishes a list of non-paying organisations:

  • 85 organisations were fined £400.
  • 2 organisations were fined £600.
  • 16 organisations were fined £4,000.

GRCI Law often has to explain the data protection fee to our clients and remind them to register with the ICO and pay the fee, which is much lower than a fine.

Personal data and the rise of the DSAR

A key driver behind the GDPR was to give individuals more control over their data. Increased awareness of the Regulation and their rights means more and more people are exercising these rights. Since 25 May 2018, we have been contacted by scores of organisations needing help with dealing with DSARs, as well as ensuring that they are in a position to address other data subject rights.

Failing to address DSARs can expose other weaknesses within an organisation, not least the requirement to maintain a record of processing activities.

Staff training is a requirement, not a bolt-on

In the event the ICO investigates your organisation, it will want to know what training has been given to staff. Training staff is key to ongoing compliance, and gives customers confidence that the protection of their data is being taken seriously.

Our sister company IT Governance offers comprehensive training packages in all areas of GDPR compliance, as well as Part 3 Law Enforcement Processing.

GRCI Law is a legal, risk and compliance consultancy firm, advising clients in the fields of data protection, data privacy, cyber and information security law. We are at the forefront of developments in these constantly evolving, challenging and complex fields.

Contact us to find out how we can help take the strain of GDPR compliance.

Get In Touch

Please complete the below form