Just a year ago, so many of us were working frantically to ensure that we had data protection processes in place in time for GDPR going live. But one year on, what progress have we made and is anything different? Have we just heaved a sigh of relief and moved on to the next challenge? Or have we really changed our approach to using and storing clients’, employees’, and other personal data. Do we really understand what needs to be done?
GDPR hasn’t gone away – its first year has been considered by many privacy experts as the transition year – so we should expect to see the Information Commissioner’s Office start to flex its GDPR muscles in the next few months. We should all therefore review our privacy processes and make sure that our business does not misuse personal data – in whatever form that may be stored – electronic, hard copy, audio or video – and also ensure that none of this media lays us open to cyber attack and consequently, breach of the regulations.
To date, the ICO has not enforced any notable fines for GDPR contravention – it’s still dealing with the backlog of cases pre-May 2018. Recent fines in the public domain such as Bounty (Â£400,000), Uber (Â£385,000), Facebook (Â£500,000), and Equifax (Â£500,000) were legacy cases, imposed for pre-GDPR data protection breaches. Post GDPR fines are likely to be higher.
Once the ICO has the bandwidth to start looking at GDPR compliance, every organisation should review their use of personal data within their business.
There is still some confusion about how we can use personal data and what measures need to be in place. The regulation outlines six principles in relation to personal data use and storage:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Storage limitation
- Integrity and confidentiality
The ICO has some helpful hints and offers a self-assessment checklist.
For organisations that store clients’ data, it’s essential to ensure that the data is kept secure and is not vulnerable to being hacked. And the same applies to employee data. Data storage on your in-house servers may not be as secure as you think, so you should consider moving to cloud storage offsite in a secure, UK-based data centre that is ISO 27001 compliant. It’s always been a challenge to keep up to date with the latest cyber threats and for many organisations, it’s best to rely on cybersecurity experts to help you maintain your defences.
When it comes to using and storing personal data, we can’t afford to relax. Cyber threats are still out there and the penalties for losing clients’ data are much higher with the introduction of GDPR, so you really need to keep your cybersecurity processes up to date.
For more information on best practice in GDPR compliance, contact Orca.