Was GDPR really such a big deal?
People started talking about the notorious GDPR in earnest in 2016. It was the veritable Eye of Sauron. It was definitely coming. And it was probably going to get you. Maybe your children too. There was a lot of talk about consent. If you overheard someone’s name or another piece of information that might identify them, it was best to get their explicit consent in writing. Ideally, in blood. There was a lot of misinformation (or at least misconstrued information), but we did at least get some super, if slightly nerdy, Twitter LOLz out of it, like this little gem:
By the time it came into force just over a year ago on 25 May 2018, lots of individuals and businesses had spent 1000s of hours (and pounds!) thinking about it and talking about it. Inboxes were flooded with emails containing consent requests and updated privacy notices. People were at their wits end.
And then there was silence. 26 May 2018 dawned as we knew it would and very little had changed. Indeed, in the months that followed, there was very little appreciable change. The ICO (the data protection supervisory authorities in the UK) allayed our fears by assuring us that it wasn’t going to start prosecuting data controllers and processors for non-compliance on 26 May 2018 and that, in fact, there was going to be an unofficial ‘grace period’ after GDPR came into force during which people would be allowed to ‘get their houses in order’.
Yes, GDPR was, and definitely is, a big deal!
Having said all that, it would be incorrect to think that, because the ICO took a seemingly lax approach in the past 12 months, so in shall be in the future. For one thing, the ICO has not exactly been sitting on its laurels for the last year. It has called out HMRC on its voice ID authentication system, for which it found consent had not been collected. It also reported a massive increase in reports of data breaches in the first month after GDPR became law. For another, investigations into GDPR take a long time (especially with a substantial and growing backlog) and the ICO has said that their enforcement actions in the past year have mainly been focused on legacy investigations (e.g. fines have been handed to Uber, Facebook and Equifax for breaches of the previous data protection law).
What to do?
With that in mind, now is the time to start paying attention to your GDPR compliance if you haven’t already. As has been widely reported, year two post-GDPR is not going to be a repeat of year one post-GDPR. As recently as last week, it was reported that the Data Protection Commission (the data protection supervisory authority in Ireland) has begun investigating Google for GDPR infringement.
Therefore, if you are a ‘data controller’ for the purposes of GDPR (as almost all businesses are, large or small) you should review your data processing activities and in particular you should ask yourself the following questions:
The list goes on, but it is worth bearing in mind that GDPR is generally regarded as a good thing. Its introduction in 2018 marked the most important change in European data and privacy regulation in 20 years. GDPR was never intended to prevent the processing of data (which is an integral part of commerce and life in the 21 Century), but it did impose important responsibilities on those who deal in personal data and it armed the citizens of European with actionable legal rights allowing them to ensure the protection their private information.
Briffa are experts in all aspects of data protection and intellectual property law and practice. If you would like to arrange a free consultant, please contact us on 020 7096 2779 or email@example.com. We have help our clients with everything from data protection audits, to drafting privacy notices and data processing agreements, to dealing with data breaches and we would be pleased to assist you.
Written by Éamon Chawke, Solicitor
Transferring personal data between the EU and the US just got a little bit easier
Last month, the European Commission adopted its adequacy decision for the EU-US Data Privacy Framework. The decision means that the European Commission is now satisfied that the US ensures an…
We’ll start with a no obligation chat where we’ll get to know you and understand your current challenges.
Book your free consultation now