Friday the 28th of January 2022, International Data Protection Day marks nearly 4 years since the General Data Protection Regulations (GDPR) became law in the UK & Europe.
What have we learnt since then:
- It can be hard to understand all of the requirements and how they apply to your organisation.
- It requires resource, time, and dedication that lots of organisations (especially SME’s) do not have.
- Lots of organisations are still struggling to get it right.
I think it is safe to say that the GDPR turned our worlds upside down, but for all the right reasons. At Bridewell, we wanted to take some time to reflect on what challenges the last 4 years have brought for us, our clients and many organisations around the globe and the challenges that some are still facing 4 years on.
What are the Key Challenges that we are still seeing 4 years on?
- Continually driving value from your Record of Processing Activity (RoPA): It was straight forward to create a RoPA in May 2018 (or before if you were really prepared!). But it is much more challenging to embed the ownership and continual updating of the RoPA into processes. Many organisations still haven’t got business owners for each processing activity which has meant activities and processes have changed but your RoPA is now out of date. Embedding processes into your existing change cycles will help your RoPA drive value in areas such as breach management, data subject rights requests and risk management as you’ll know exactly what data you hold, where it is kept and when you delete it.
- Increased pressure of Data Subject Rights Requests: I am sure that many organisations are seeing influxes of Data Subject Rights Requests (DSRR). Our clients are certainly feeling the effects of mass requests on the back of legal claims or the new service providers which allow users to send automated deletion requests for anyone that has ever emailed them. The management and administration of DSRR’s is time consuming and costly for organisations. This is naturally impacting SME’s more as they don’t always have dedicated Data Protection resource, so these requests are being actioned on top of people’s days jobs.
- Implementing Retention: Retention of data has always been hard to juggle. Not keeping too much data vs not retaining enough to defend your position or brand. Some organisations are still in the camp of ‘we’re keeping it just in case’. A Data Protection Officers worst nightmare! Retention must be embedded into data lifecycle management and ideally, any deletion should be automated. It’s important to remember that Data Protection Legislation isn’t going to stop you from keeping data if you genuinely need to, but you must document your rationale for the period you’ve settled on.
- The ever-changing regulatory landscape: So much has changed since May 2018. In the UK, we’ve had Brexit, meaning we left the EU which threw up lots of challenges including the UK’s adequacy decision, cross border transfers, Standard Contractual Clauses (SCC) with more to come including the UK making its own adequacy decisions outside of the EU and new UK SCC’s. And let’s not forget about Schrems II and the failure of the Privacy Shield resulting in the need to have additional transfer measures in place to legally transfer data to the USA. It’s still doesn’t stop there… now we have the UK government consulting on the ‘Data Reform’. That has left lots of questions like ‘what will it mean for the UK’s adequacy with Europe?’, ‘will we still have to do DPIA’s?’ and ‘how will it actually impact organisations?’. None of the above even consider the COVID-19 pandemic we have been wading through the past 2 years and the additional health data being processed all over the world or the numerous new Data Protection Laws being put in place all over the world.
- The depleting pool of Privacy Professionals: With more and more countries requiring Data Protection Officers (DPO) for organisations that meet a set criterion, this naturally means that there are lots of vacancies and therefore, lots of competition between organisations to get the best talent. Even those organisations that don’t legally require DPO’s are looking to put them in place as they see the value that a DPO with expert knowledge, experience and qualifications can bring to their business. It takes years for a Data Protection professional to gain on the job experience and relevant qualifications to be able to deliver great advice to their organisations, so with the rapid rise in demand for DPO’s there is naturally less talent to go around.
- Culture of Data Protection: Creating a culture of Data Protection is by far one of the most challenging and lengthy changes that have been required since the GDPR came into force. Data Protection is no longer a one-man band where all the responsibility lies with the DPO or Privacy Team. The changes that organisations are still struggling with is helping employees understand their roles and responsibilities which might include understanding when Data Protection Impact Assessments (DPIA’s) are needed or taking responsibility for updating the RoPA for their business processes. If organisations can nail a great Data Protection Culture – you’re halfway there!
- Rise of the Data Protection Class Action: Class action lawsuits are commonplace in countries like the USA. After all, ‘where there’s a blame, there’s a claim!’. However, across the UK we are seeing a rise in their popularity hitting the UK courts. Class Action or Group Litigation is used for courts to manage claimants who have the same interests in a claim. Data Protection Breaches can be costly to organisations not just in monetary terms (through fines and compensation) but also the impact on their reputation and ability to carry out future business, but class actions take that to a whole new level.
- Getting consent right: Now this one isn’t new; marketing and consent have always been areas which organisations have struggled to get right. The very high bar of consent required under the GDPR and the flexibility of lawful basis such as Legitimate Interests and rules around ‘soft opt ins’ (within the UK), have caused confusion. Providing advice becomes more challenging when so many organisations are still getting it wrong. After all, ‘why should we do that when ABC Ltd isn’t?’. The answer is because it’s the right thing to do for your users and customers. Its transparent and gives them choice as to how their data is used. That is what the GDPR was designed to do!
If you need help understanding the requirements of how the GDPR applies to your organisation, Bridewell can help. We provide several a Data Protection services including consultancy on one off projects, Data Protection Maturity Assessments, ISO27701:2019 Implementation and Data Protection Officer as a Service.