On 25 May 2018, the new General Data Protection Regulation (GDPR) came into effect, sending many organisations into a frenzy to ensure they were dealing with sensitive data in the correct way. Mark Harper, of HSM, asks whether the UK has adapted well to these legislations – or whether standards are slipping
The 25 May 2019 marked one year since the new GDPR laws were enforced in the UK and Europe; this updated legislation was introduced to give individuals more control over the personal data companies hold and how they handle it. So, has this changed the way organisations are operating?
Well, it’s safe to say data-handling is different. In fact, there’s almost no doubt that organisations have changed the way in which they operate, with ‘Data Officer’ becoming a more proficient job title as GDPR is more commonly understood, yet it was only last year that some business owners and their employees would struggle to tell you what GDPR stood for, let alone what it meant to their business.
Aside from this, the fact that home and office shredder sales have increased across the globe in the last year also shows the shift in attitude towards the new standards, and suggests a willingness by organisations to sharpen up their data-handling processes. Although education on this subject has evidently improved, GDPR compliance requires ongoing attention, which brings its own set of challenges. With this in mind, are we in danger of standards slipping already?
In the year since GDPR was implemented the Information Commissioner’s Office (ICO) has been closely following those who are failing to remain GDPR-compliant. As we’ve seen, if an organisation fails to handle an individual’s data correctly, it can be fined. Between May 2018 and May 2019 we saw over 200,000 individual cases reported.
No business is immune, either, no matter the stature or the sector it operates in. Our own National Health Service has suffered investigations and fines across the last 12 months. These investigations go as far back as May 2018, when the Bayswater Medical Centre, in London, left sensitive paper documents containing medical records in an empty, unsecured building.
Paper documents continue to be an underlying issue for those trying to follow data protection procedures. A common misunderstanding is that digital data should take precedence when dealing with GDPR. This isn’t the case. Paper documentation poses just as much of a threat as does digital data. Organisations must continue to update their physical data destruction methods to ensure they remain compliant and avoid making the same mistake as that London medical centre.
Moving forward with GDPR
It’s clear to see why the thought of large fines captured the attention of so many last year – however, a fear of fines won’t always carry the same weight as they once did. Data protection has continued to evolve since the GDPR enforcement date and, with the grace period now well and truly over, companies are faced with the important task of maintaining company-wide standards to continually meet the new regulations.
The importance of recognising GDPR as a developing project was reinforced by Information Commissioner Elizabeth Denham in April’s data protection practitioners’ conference (DPPC). “I believe we’re entering a new stage in GDPR’s development”, she stated, and went on to explain how companies must understand the risks they create when processing data and how this should move us away from the ‘box-ticking’ view that many see GDPR as.
The underlying point, which is consistently made, is that organisations must see GDPR as an ongoing operation. It’s never really been enough to just ‘tick the box’. Instead, organisations should inject effective GDPR processes into their business procedures, with a view to acting responsibly as opposed to the fear of fines. However, this isn’t necessarily the straightforward task that some believe it to be – even for those that already have firm data protection systems in place.
Investing in responsibility
For any continual data protection process, investment is key; investment in the correct practices and employee education should be a recurring feature in order to ensure a business is operating as it should be, all year round.
Referring to the previously mentioned London medical centre case, a misplaced and forgotten printout was the cause of the investigation; this could have easily been avoided by implementing the correct procedures associated with physical data destruction. An organisation’s operations can change, whether location, staff or everyday procedures – and effective paper document destruction should be routinely addressed.
To combat poor practice, regular audits should take place to ensure all current procedures are working effectively. Both existing and new employees should consistently know how to remain compliant and what their role in data protection is, whether that be shredding paper documents at their desk or collecting small quantities in regular intervals to be destroyed at a communal office shredder.
So, as many professionals are pointing out, GDPR is still developing and organisations will need to keep up if they aim to continue acting responsibly. Those who manage to change their company culture so that the responsibility of GDPR lies with the organisation as a whole and not just individuals are likely to prosper. This, paired with continued investment in procedures and employee training, will help to keep the UK’s standards from slipping for years to come.