It has now been almost a year since GDPR became enforceable by law for countries within the European Union. GDPR came in to effect on 25th May 2018 modernising laws that protect the personal information of individuals, determining how organisations should hold or process that data.
General Data Protection Regulation, or GDPR, have overhauled how businesses process and handle data updating previous data protection rules that were originally created across Europe in the 1990’s.
Elizabeth Denham, the UK’s information commissioner, says “The GDPR is a step change for data protection,” “It’s still an evolution, not a revolution”. For businesses which were already complying with pre-GDPR rules the new should be a “step change,”
So, do we all think GDPR has been a success?
As a company dealing with data erasure on a day to day basis, we have certainly made the step change to ensure we are GDPR compliant. We have pored over articles and made sure we have policies galore,
We have changed the way we contact customers through every aspect of our business, as have many of the companies and organisations we work with.
Early numbers for the GDPR make clear that the policy has been a success as a breach notification law, but largely a failure when it comes to imposing fines on companies that fail to adequately protect their customers’ data.
In March in London, the International Association of Privacy Professionals hosted a retrospective panel on the GDPR’s first year, where Stephen Eckersley, the head of enforcement at the U.K. Information Commissioner’s Office, said the U.K. had seen a “massive increase” in reports of data breaches since the GDPR’s implementation in May last year. Mr Eckersley estimated that we will see around 36000 data breach notifications in 2019, an almost double the increase on the previous annual reporting of 18 to 20 thousand breaches.
A GDPR data breach survey by DLA Piper states that there have been over 59000 data breaches reported across Europe, from both public and private organisations, with the Netherlands, Germany and the UK topping the table of reporting.
But are fines the right answer if so, many people still don’t understand, not only about keeping data safe, but about what constitutes data and how an individual so easily still shares their data.
Have you ever stopped to wonder how much personal data you have shared online?
Or what happens to that information?
Have you even started to challenge the data you get asked for?
We’re talking about normal daily stuff like banking information, contacts, addresses, social media posts, and even your IP address. All of these are stored digitally.
Or what about when you might be in the supermarket and the checkout person says you haven’t signed your card. Why do I need to, when I use chip and pin, it’s not really two-factor authentication is it?
Just recently – we have challenged a large financial organisation who requested birth dates from employees who had no bearing on the business we were conducting. It’s a scary fact that most people might just hand over that information because they know no better.
We challenged the request because this organisation was wrong. In fact, it stated its own policies on its website but wasn’t following them. They had made sure they were GDPR compliant, had the policies to prove it, yet failed to educate staff almost a year on. And what were they doing with the information they didn’t need to ask for?
We don’t know because they didn’t know why they were asking for it.
So – what does compliance look like to us?
It’s about making sure that whatever customer or supplier data we collect for legitimate business reasons we keep safe. And we look after our employees and their data.
And we challenge those organisations or companies who have no right to ask for personal information about individuals when dealing with an LTD company or a PLC.
We would love to say our email inboxes is free from spam, but sadly we can’t!
If you want more information about Data Protection the ICO has a guide which can be found here