GDPR: 90 Days On
GDPR has been one of the most talked about developments this year - now that the May deadline has come and gone, the big questions remain on what impact it's actually had for organisations to date.
So the 25th May 2018 has come and gone – a day long anticipated by all organisations that touch data in any way shape or form, but what impact has the new legislation had to date?
As we are all too well aware, embracing GDPR has been a costly exercise; with companies spending considerable amounts of time training staff, reviewing contracts, migrating and cleansing data, defining processes and in some cases appointing new suppliers and hardware solutions. Acxiom estimated the costs of becoming GDPR compliant at over £800 million for companies FTSE 100 and Fortune 500 companies alone.
So has it had a positive impact? GDPR has at its heart the ethical and transparent use of personal data; and to that end it has achieved its goals. Anecdotally, organisations are generally in much better shape to act as responsible custodians of their customers’ data. Many have implemented tighter controls on their data in anticipation of a flood of Right to Be Forgotten and Subject Access Requests; in a bid to make what could be otherwise be a time consuming and costly discovery process as streamlined and auditable as possible.
From a regulatory standpoint, the ICO in the UK reportedly received 1,124 complaints of non-compliance within the first month of the new legislation coming in (1), including some of the first high profile complaints against Facebook and Google by pro-privacy lobbyists (2). Whilst it remains to be seen how many of these complaints are upheld, what is clear is that data subjects are exercising the powers available to them under the act. The number of incidents of non-compliance would be expected to fall and stabilise over time as this first wave of complaints are dealt with, and early loopholes and subjective interpretations in the application of the regulation are closed.
However, it seems there is still much to be done by both the regulators and companies that are obliged to adhere to the letter of the act. And whilst new product and service launches are the most likely events to expose organisations that have so far escaped escalation of their practices to the ICO; the ongoing concern will be to continue to embrace data protection by design and default to mitigate against these risks; as well as timely and comprehensive fulfilment of customer requests in regard to how their data is used and made accessible to them.
My plea is for organisations not to forget their GDPR obligations now that the initial wave of enthusiasm has passed as this is just the beginning of the GDPR journey.