The deadline has passed and everything has gone quiet; or has it?
Yes, it may be quieter than some people predicted but let’s not be too complacent. In the three weeks since 25 May, the ICO has been very busy; according to their site they have made 10 advisory and/or audit visits, issued 18 decision notices and issued 3 enforcement notices (fines).
Of course, anybody who thought that swingeing fines would be making headlines by now was probably being a little unrealistic; investigations take a while to be conducted and judgements a while longer to be delivered – so don’t expect too many scary headlines just yet. But that does not mean that they aren’t on their way; in spite of the ICO statements saying they prefer the carrot to the stick, Regulators tend to like the deterrent that attention-grabbing headlines provide.
What about the companies that are not yet compliant?
If you are one of these then the first thing to acknowledge is that you’re not alone; a recent survey by Apricorn (Apricorn.com) in May 2018, noted that only 29% of respondents were confident that they complied with the GDPR. That leaves 71% still to complete – or still to start in some cases -their compliance work.
Whilst you may be able to take a little comfort in the ICO’s previous statement that it will consider favourably those that have started their compliance journey – the clear message is “keep the momentum or start now!” We’ve all been bombarded with GDPR emails about consent and privacy notices for weeks so there is no excuse for claiming ignorance and doing nothing!
You’re under the spotlight
It is very easy for anyone – your clients, prospects, suppliers and the ICO – to get an initial impression of whether your company is making an effort towards GDPR compliance. Firstly, they can check whether you have registered with the ICO – which publishes a register of data controllers that have registered and paid their fee; secondly, they can look at your Privacy Notice on your website, which will give a good indication of your understanding of your GDPR obligations together with details of PII data handling and security.
By the way – the ICO states on its website that non-registration of Data Controllers is a criminal offence and that there are fixed penalties for offenders – so you’d be advised to make sure you take the test on their website to see if you need to register as soon as possible. (Although at the point of writing this, the registration part of their website was not working!)
What will people do with their new data rights?
A recent Computing.co.uk article quoted a European-wide survey by Veritas, which found that 40% of consumers plan to make a subject access request within 6 months of May 2018. It is clear that consumers want to take back control of their data and intend to exercise their rights under GDPR. What is not clear is how (mostly larger) companies will cope with this deluge of requests for information, given they have just 1 month to respond and cannot levy a fee. And for smaller organisations the implication is clear – have robust SARs policies and procedures in place sooner rather than later.
If you are not yet compliant, here are 5 actions to consider now:
- Register with the ICO if you are a Data Controller (and not exempt).
- Conduct a data audit so that you have a record of what PII exists, your lawful bases for processing, who you share it with and how long you keep it.
- Ensure you have adequate data protection policies in place which demonstrate your commitment to data security. This includes your IT systems which should meet industry standards and be regularly updated.
- Document how you will respond to any Subject Access Requests— you may not get many but they can be very time consuming, so have clear procedures in place.
Author: Colin Jupe, VXPartners, June 2018