A year has passed since the enactment of the GDPR on 25th May 2019. So how have we fared, have we all weathered the storm?
We found real divergence in the way that businesses prepared for GDPR – some businesses were compliant well in advance of the deadline and others thought they would wait and see the effect that GDPR had on commerce generally before embarking on a compliance program. Which ever stance your business took, it is probably fair to say that in reality, we are all more mindful now of how we treat data and that our marketing practices have become more streamlined, with privacy and data subject rights at the forefront of our marketing strategies.
The ICO has had a busy year of implementation, enforcement notices and issuing monetary penalty notices which show an increase in penalty fines. The biggest change has seen a significant increase in the amount of data breaches reported to the ICO. We are told that more than 14,000 data breaches have been logged since the introduction of the new laws last May. This backs up our assertion of increased awareness of the importance of personal data.
The best uptake of GDPR that we have seen in our business clients has been where the adoption of best practice has been cultural as well as procedural. Businesses have taken the opportunities presented by compliance, not just to avoid financial penalties but to improve the relationship with staff, suppliers and customers. Crucially, they also consider data governance and security at the start of every project and not just as an afterthought as perhaps it once was.
One of the biggest mistakes businesses have made in the past year has been not always taking it seriously enough. To be fair, the challenge is often not idleness but limited resources – every pound spent on GDPR is one less towards the business’s aims. Other non-compliance that we see centres around management of paper records; weak or shared passwords are still an issue, as is the failure to encrypt or protect data in transit whether that is email or physical media. Businesses sometimes make the mistake of thinking of data security as an IT problem rather than an organisational one – but actually data security should be an intrinsic part of all projects and align security concerns with business goals. GDPR requires us to take ‘appropriate technical and organisational measures’ to ensure data security – which means that we must all take responsibility for ensuring passwords are protected and laptops are locked in the same way that we expect our IT teams to have installed up to date virus and firewall protection.
Those businesses that are not yet fully compliant must ensure that they define a roadmap to compliance. For those with the foundations in place it’s really important to ensure that ‘GDPR fatigue’ doesn’t set in and they don’t allow the good work they’ve done to slide back to ‘business as usual’. Businesses must recognise that GDPR is not a one-time fix but needs to be embedded in organisational culture.
A final point for discussion is to dispel the myth that GDPR stops us from carrying out direct marketing. It is important for businesses to remember that the correct legal interpretation of GDPR (and the Privacy and Electronic Communications Regs) is not the false belief that consent is required for all forms of marketing. It should be remembered that GDPR says that direct marketing can be a legitimate interest of an organisation when it comes to contacting their supporters, provided that this is not overridden by the rights and freedoms of the data subject. Organisations may still be able to rely on legitimate interests for processing data for the purposes of direct marketing in circumstances where they are conducting postal marketing, emails to existing regular supporters using the soft opt-in option or to business email addresses, and live telephone marketing to individuals who have not previously objected to you, or numbers which are not listed on the Telephone Preference Service (TPS). If your business uses legitimate interest as the basis for processing data, you must undertake a Legitimate Interest Impact Assessment (LIA) to ensure that this legitimate interest is not overridden by the rights and freedoms of the data subject.
Other related literature you may find interesting :