GDPR – Compliance or complacency?
This year has seen the data protection landscape in the UK get significantly tougher but it seems not all businesses are keeping their eye on the ball as keenly as they should.
The Information Commissioner’s Office (ICO) has signalled its intention to impose massive fines on British Airways and Marriott Hotels, which made many people sit up and take notice. The ICO and European Data Protection Board (EDPB) have published new guidance that clarifies the obligations of data controllers and data processors. Despite this, it seems that many data controllers feel that the work they did leading up to May 2018 is enough to keep them compliant with the requirements of the GDPR. For these organisations, complacency may prove to be a real risk.
A recent survey of GDPR decision makers found that 35% of those surveyed felt that data protection was less of a priority now that the implementation date has passed. It may also surprise some to hear that 52% of organisations reported that they were still not fully compliant.
The survey also revealed the following…
- 37% have reported incidents to the ICO in the last 12 months, 17% more than once
- Of those organisations reporting data breaches medium sized entities made up 53%, small entities 36% and large organisations 23%
- Only 6% said the BA and Marriott fines had made them reassess their approach
- Those reporting full GDPR compliance are broken down by size; medium 39.5%; small 51%; large 56%
- 18% had recruited personnel to carry out or oversee GDPR functions
- 70% felt ‘very positive’ about GDPR and 62% made it their ‘top priority’
According to ICO statistics, 60% of all data breaches reported were caused by human error. However, this does not seem to be recognised by those responding to the survey, who mainly sought technical solutions to the issues caused by GDPR. 96% of those surveyed said they had invested time and money into GDPR preparations but the ICO has warned against adopting a generic approach to the issue.
The Information Commissioner, Elizabeth Denham, explains…
“Organisations need to ensure that they not only have appropriate policies and procedures in place but that they can demonstrate through risk assessment, audit and review that that the processes being adopted meet the standards of the GDPR and the UK's new Data Protection Act of 2018. Essentially, the culture of compliance should be within the DNA of the business. There is inherent danger in businesses taking a formulaic or generic approach to their GDPR obligations.”
So the key to staying on the right side of the ICO and avoiding penalties is make sure you have adequate protections in place, that all your people know how to apply them and that you can demonstrate your accountability to the ICO if required.
As the Information Commissioner has also concluded: “This next phase of GDPR requires a refocus on comprehensive data protection – embedding sound data governance in all of your business processes.”
How can UK Training help?
We present a number of courses which will help you with your ongoing efforts to comply with GDPR. You can view full details here.