On 25 May 2018, the European Union introduced the General Data Protection Regulation (GDPR) to legislate data protection and privacy. The legislation enforced compliance through robust consent requirements, the ‘right to be forgotten’, and mandatory breach notifications, to name just a few.
Four years on and much has changed – the UK has officially left the EU and is set to impose its own data protection law. Reflecting on the regulations and looking to the future, eWeek UK spoke to five industry experts about the impact of GDPR and what we can expect from new data protection legislation.
GDPR: Friend or Foe?
Over the past four years, GDPR has undoubtedly divided opinion. Andy Swift, Technical Director of Offensive Security at Six Degrees, reflects on how “despite some critics saying the regulation doesn’t do enough to enforce good practices, the fact is it has been effective in raising awareness around data protection”.
He adds: “Ultimately, GDPR is still very young. It has provided important awareness and structural guidance throughout its four years of existence, and I anticipate that its presence and impact will grow as non-compliance fines become more prevalent.”
Kevin Kelly, Vice President & General Manager, Global Compliance Solutions at Skillsoft, agrees that “GDPR has prompted significant improvements in the governance, monitoring, awareness, and strategic decision-making regarding the use of consumer data”.
However, whilst GDPR did raise awareness for these important issues, others are more critical about the regulations.
“Although GDPR introduced rules on how such organisations should handle and protect this data, it arguably did not go far enough as it does not specify exactly what businesses can and cannot do with their customers’ personal information,” argues Michael Queenan, CEO and Co-Founder of Nephos Technologies. “For individuals, therefore, there is a huge loss of control over their data.”
Reforming Data Protection in the UK
Eighteen months on from Brexit, the UK government has announced a new Data Reform Bill to redefine data protection separately from the EU.
However, as Donnie MacColl, Director of EMEA Technical Services at HelpSystems, explains: “At present, the Bill is more of a statement of intent rather than policies that are set in stone. It remains to be seen how the government will move forward as further detail emerges.”
Richard Orange, Vice President EMEA at Exabeam, furthers: “However, we do know that it will be important to be able to regulate data sovereignty from country to country, as this may become a challenge. Regions across the UK will need to find commonality and work cohesively for any reforms to be effective.”
“A new data privacy strategy could offer huge benefits to businesses as well as individuals,” adds Queenan. “Being a ‘data protector’ is increasingly becoming a badge of honour. We are seeing consumers making deliberate choices about which companies to transact with based on their data privacy and management practices. The increased fines for non-compliance proposed with the new Data Reform Bill will only reinforce this and force all businesses to be responsible with personal data and use it with the individual in mind, rather than for their own gains.”
Compliance is Key
No matter what the future has in store for UK data protection, it is essential that organisations stay compliant to avoid being hit with a torrent of fines and penalties.
To conclude, Kelly shares his checklist for remaining compliant:
1. Have you made it clear that your organisation is taking GDPR seriously? Raising awareness will help you to educate the entire organisation about procedural and operational directives – and ensure that your team has a clear understanding of your expectations regarding compliance.
2. Have you suspended all non-compliant data collection? At this point, the answer should be a resounding ‘yes!’. But also ensure that your organisation continues to put policies and procedures in place to allow the acquisition of legitimate consent – wherever and whenever data is being collected.
3. Do you identify and log all current data? Without an understanding of what data you have collected from individuals, you cannot implement data handling and storage procedures that are genuinely effective. Make sure that you continue to perform audits of the data you are collecting for a complete understanding.
4. Do you continuously review your data practices? Though you may be in compliance with GDPR now, it is imperative that you continue to review your data practices. Ask yourself if your current governance practices are sufficient enough to comply with GDPR. Especially pay close attention to overseas movement of data to ensure storage and processing remains on the right side of the law at all times.
5. Have you clearly communicated your intentions to your employees and customers? Create/redesign your organisation’s literature to clearly communicate the rights of individuals when it comes to their personal data. Take every opportunity available to you to reiterate your commitment to protecting personal data.
6. Do you have a data protection officer (DPO)? Who is your DPO? Every organisation should appoint one to ensure you are properly applying relevant laws protecting individuals’ personal data.