GDPR 2nd Anniversary  - ‘much done, more to be done….’

Today marks the second anniversary of the General Data Protection Regulation (GDPR) coming into force. With everything else that is going on around us, we felt it was timely to mark the occasion with a bit of a review, and some looking forward as well.

Despite the fact that the final draft of the GDPR was published in April 2016, giving organisations two years to prepare for its arrival, we still meet with organisations who are working to the 1995 model of privacy compliance. This is most clearly seen in an outdated Privacy Statement (if one exists), a wealth of obsolete data in their files and systems and a relatively limp and insipid understanding of individual consent, where it is being used as the basis for processing.

The GDPR introduced several practical, visible ways in which organisations can demonstrate their understanding of, and compliance with, their privacy obligations. Including:

• Clear, accessibly policies and notices in the interests of transparency.
• Robust, credible evidence of individual consent where it is being used.
• Confident reference to one of the other available Lawful Processing Conditions where consent might not be either appropriate or available.
• A Data Protection Officer (DPO) or Data Champion within the organisation, monitoring compliance but also on hand to provide practical advice on user queries or customer concerns.
• Comprehensive risk assessments of new projects and processing activities through the use of the Data Privacy Impact Assessment (DPIA). You can read more about our Data Protection Impact Assessments (DPIA’s) here.
• A reliable description of the organisation’s processing of personal data, highlighting system dependency, engagement of third parties and potential at-risk processing such as overseas transfers or security gaps.
• A clearer understanding of, and appreciation for, the data of children and the vulnerable, with steps taken to ensure that no such processing takes place without appropriate permission.
• Established protocols for sharing and disclosure of decisions to ensure consistency of enforcement among the collaborating Supervisory Authorities in the other EU jurisdictions.

Admittedly, we don’t have an extensive library of case histories demonstrating the ‘effective and dissuasive’ enforcement of the Regulation by our own Data Protection Commission – the first formal prosecution of an Irish entity under the GDPR took place last week, a relatively modest fine of €75k against Tusla for three recent infractions which put hight sensitive data and highly vulnerable data subjects at risk. Nonetheless, if considered as a ratio, this penalty represents a punitive value of €25k per individual impacted by such breaches – it will be interesting to see if this quantum is maintained in future prosecutions.

We were also advised at the weekend that a 14-month investigation of Twitter’s data-sharing activities has concluded, with the result due in the coming weeks, pending sign-off from the other Supervisory Authorities across the EU. Nothing like an impending birthday milestone to oil the wheels of enforcement!

That’s not to say that all is well and rosy in the world of privacy – many of the same issues with regards to the protection of individual rights and freedoms persist – most dramatically in Hungary, which recently suspended key elements of its GDPR legislation in order to ‘protect’ its citizens during the Covid-19 pandemic. The Covid-19 crisis has also brought substantial debate on the appropriateness of processing employee and patient data through contact tracing apps and medical testing in offices and workplaces. If ever there was a time to conduct credible, pre-emptive Data Protection Impact Assessments  (DPIA’s)!

Social medial behemoths continue to ‘re-invent the industry’ with ever-larger, more innovative and more informative data collations, with underlying concerns for the reliability and integrity of the published news.

The marketing and promotion of products and services online feels more and more intrusive and pervasive – a recent report published by the Irish Data Protection Commission  (DPC) found widespread non-compliance with both the GDPR (in relation to user consent) and the Electronic Communications Regulation (in relation to the deployment of cookies on websites). Irish organisations have been given a ‘hard deadline’ of October 5^thby which to bring their websites into compliance, after which date “non-compliance will be met with enforcement action”. We will be writing more about this programme in the coming weeks.

And lurking behind all of this, Brexit has not gone away. Remember when Brexit dominated the headlines? Must be at least 10 weeks ago. Brexit still carries a number of ‘unknowns’, including the UK’s ‘adequacy’ status from January 1^st, 2021 onwards, as well as its implications for third-party contract revisions and the requirement for appointment of Nominated Representatives both in Ireland (for UK firms continuing to do business here) and for Irish and EU firms processing personal data in the UK.

So, as ever, it is a case of ‘much done, more to be done’. Like any toddler, the GDPR at two years old shows promise, with occasional glimpses of the treasure it will become once the tantrums, the screaming, the writing on walls, the biting and scratching, the toilet training and the bickering with its siblings settles down into the mature, considered stability of a three-year-old. We can only hope.

If you are struggling with GDPR compliance or unsure about data protection implications of Covid-19, schedule a free one-to-one consultation now to learn about the steps that you need to take to ensure that you are compliant with the General Data Protection Regulation (GDPR).