GDPR - one year on and alive and kicking
It has been over a year since the General Data Protection Regulation and the Data Protection Act 2018 came into force. 25th May 2018 was just the start. What has happened in the last year?
In May last year, a regular feature of the national news was GDPR and how organisations all needed to get their houses in order so as not to fall foul of the new, stringent European data protection regulation.
GDPR – General Data Protection Regulation, to give it its full title – and the Data Protection Act 2018 (DPA 2018) both became law in May 2018, and in the run-up there were tales and misconceptions galore about how they would impact on day-to-day business.
Now we’re one year on, the media barely gives GDPR a mention, but that doesn’t mean it’s gone away. When GDPR is back in the news, it’s generally following a security breach. Far from having drifted into the background, GDPR and its requirements form – or should form – a central part of all organisations’ regulatory compliance, and the fashion and sportswear sector is no exception.
GDPR and the DPA 2018 are a stage along the evolutionary process of data protection legislation within the UK. They enhance our rights as individuals and significantly increase the accountability of our businesses around all the elements of personal data we store and process. Whether or not we exit the EU, the requirement to comply with GDPR will not change. As an information governance and data protection consultant, GDPR, the DPA 2018, and their requirements form an important part of my work.
So what’s happened in this first year? Notably, there has been a big rise in the number of complaints and the reporting of data breaches lodged with the Information Commissioner’s Office (ICO). It seems GDPR has not only given consumers more rights, it has made them much more aware; they are asking “How did you get my information?” and “Why am I being marketed to?”
The ICO has shown its teeth. However, while the fines are one thing, the damage to reputation is quite another. When TalkTalk data was hacked it was fined £400,000 by the ICO. A far greater cost was the loss of share value, and as for reputational damage? Immeasurable. Similarly with Facebook, which is struggling with damage to its reputation around its handling of personal data, which started with the Cambridge Analytica scandal, where the data of 87 million people was improperly harvested.
Of course, GDPR isn’t just a consumer law. Companies often forget that a large proportion of data they hold concerns staff. Disaffected employees are using data protection legislation as a tool against their own employers. They can make a ‘data subject access request’ to ascertain what personal data is held on them, including within emails, which can tie a company up in knots.
As a company owner, you therefore have to think about employees as well as customers and you must be able to demonstrate compliance – indeed, this was a key theme of Information Commissioner Elizabeth Denham’s during a speech she made at the recent Data Protection Practitioners’ Conference.
So what should you be doing to ensure you comply? You’ll have guessed there is far more to it than just having a Privacy Notice on your website and an unsubscribe option on your email marketing.
Evidence and transparency are the foundation of a GDPR compliant structure. Ask yourself what data you have and who the data concerns, and include everyone: staff, customers, suppliers, stakeholders etc. Look at the information you hold, where you get it from, where you store it and who it’s shared with. At the same time, question why you capture the information and whether you actually need it. For example, you may have a question about disability in your recruitment process. If you have a justifiable reason for needing to know, great; if not, then delete the question.
Having decided what data you need, make sure access to it is limited and it is protected, not just from online hackers but in the physical space. For example, lock your filing cabinets! You also need to decide how long you keep the data and there are guidelines on this. Finally, don’t forget to update contracts from suppliers to include data processing related clauses – your whole supply chain has to be 100% GDPR compliant because a supplier’s breach could land at your door.
GDPR and DPA 2018 are all about stepping back, looking at what data you hold and why and making sure everything is documented. This shouldn’t be regarded as onerous but as an opportunity to examine your processes and put in place efficient, GDPR compliant systems, which you review and audit regularly.
Importantly, being compliant with data protection legislation, including GDPR, is about managing business risk. Just because you haven’t suffered from a data breach or received complaints doesn’t mean you won’t be. Could you survive a fine? Far more significantly, could you survive the reputational damage? TalkTalk and Facebook, with all the wealth at their disposal, are struggling to do so. Food for thought…