To mark the first anniversary of GDPR, Nick Rhodes examines its progress so far and identifies three risks that lie ahead.
The General Data Protection Regulation (GDPR) turns one this week. This infant regulation may have had a six-year-long long gestation, but many anxiously awaited its birth (25 May, 2018) and public interest has not diminished over time.
As it continues to take shape via new legal precedents and fresh codes of conduct, it’s a good time to ask whether organisations are now getting data privacy right – or do challenges still remain?
This was never going to be quick
Personal data in the internet age has been likened to a new currency. Certainly, the push for accountability championed by regulators is akin to financial reporting. It’s not surprising, then, that this new form of accounting is taking longer than many expected to bed in.
The big risk used to exert pressure pre-25 May last year was that of a big fine. This remains a huge danger and tech giants continue to take the threat extremely seriously. But for many organisations the real risks as we approach 2020 are more subtle – here are three to be aware of.
Risk 1: Marking your own homework
As we have previously highlighted, having a Data Protection Officer (DPO) is a bit like having Jiminy Cricket on your organisation’s shoulder, advising what is right and proper concerning all this data. Whilst DPOs have been great at helping putting legalese into everyday English, many have been sucked into making decisions on behalf of their organisations – and this can be a problem.
One of the key responsibilities of the DPO is monitoring compliance and so the first real risk is about them marking their own homework. So, if an organisation’s board is yet to recognise its own accountability for managing the risk of data loss, it needs to hasten the transition to operational business ownership.
Risk 2: Looking careless
The immovable deadline of 25 May, 2018 created a bow wave of collective effort to be ready on time.
Some organisations have been able to maintain this impetus thanks to customers becoming more engaged and employees gaining greater understanding of the regulation. Others, however, found that their project teams quickly dissipated with tasks left incomplete, new data stores still materialising and records having been shelved rather than maintained.
With press interest in data leaks showing no signs of abating, those organisations that have lost momentum run a significant risk of appearing not to have taken this seriously enough.
Risk 3: Missing out
An important consequence of GDPR is how it has encouraged customers to be more confident they have rights of redress and be more mindful about the value of their data. This helps bring the mind-boggling possibilities of digital advances like the Internet of Things and genomic medicine closer to reality – but only if public confidence about the use of their data is maintained.
The Information Commissioner’s Office’s Periodic Trust Barometer showed readings have turned a corner since GDPR became operational. We are on a path of recovery, or rather, those organisations that have seized this opportunity to become more transparent and accountable are.
And the rest? There may still be time to catch-up and avoid missing out – but be warned: the clock is ticking.