The implementation of the General Data Protection Regulation (GDPR) on 25 May 2018 was intended to provide individuals with increased transparency and control over how their personal data is used in the digital age.
The GDPR aimed to redress the privacy imbalances created by the rapid rise of the Internet, social media, online advertising, automated decision making and other exploitation of personal data made possible by rapid technological advancements.
For their part, such organisations were expected to overhaul their businesses to comply with the world’s strictest data protection laws and foster a “culture of privacy” throughout all aspects of their operations. Onerous financial and reputational sanctions could be imposed, should they fail to meet the necessary standards.
As the GDPR comes up to its first birthday on 25 May 2019, we look at the challenges which businesses face in complying with the new law, how it is being enforced and why businesses still need to take it seriously.
How are businesses meeting the GDPR compliance challenge?
Creating and embedding the complex and extensive policies and processes required by GDPR has generally been easier for businesses which operate in sectors where the handling of data was already highly regulated. For example, businesses in the finance, pharmaceuticals and telecoms sectors, or those which had self-certified to rigorous technical standards such as ISO 27001 for information security management.
Such businesses have been able to meet the challenge of GDPR compliance by extending their existing compliance frameworks, a task made considerably easier by an existing culture of compliance and robust IT security systems and procedures.
For most businesses, however, the hurdle of GDPR compliance continues to remain high, commonly due to the following reasons:
These hurdles continue to result in many businesses not knowing how to start or continue their GDPR projects, and therefore delaying important action. Our experience with SMEs and global corporations alike is that it is essential to adopt a robust risk-based approach. Such an approach is endorsed by regulators and allows resources to be focused on identifying and addressing the areas of highest data risk in the business, providing the first crucial handhold for a business to start its GDPR compliance programme.
How has the GDPR been enforced?
Dramatic newspaper headlines in May 2018 created the impression that non-compliant businesses would be at immediate risk of onerous fines of up to 20 million Euros or, for major international businesses, up to 4% of worldwide annual turnover. In practice, the first year of enforcement action has been underwhelming and created mixed messages for businesses:
Why GDPR still needs to be taken seriously
Despite the many challenges of GDPR compliance and the lack of aggressive enforcement action to date, there are still compelling reasons for businesses of all sizes and sectors to take GDPR compliance seriously:
If you would like to discuss any data related matters, please contact our Data Regulatory team.
The implementation of the General Data Protection Regulation (GDPR) on 25 May 2018 was intended to provide individuals with increased transparency and control over how their personal data is used in the digital age. The GDPR aimed to redress the privacy imbalances created by the rapid rise of the Internet, social media, online advertising, automated […]
DATA REGULATORY UPDATE UK COURT OF APPEAL CONFIRMS EMPLOYERS CAN, EVEN IF NOT AT FAULT, BE HELD LIABLE FOR DATA BREACHES CAUSED BY A ROGUE EMPLOYEE On 22 October 2018, the UK Court of Appeal ruled, in WM Morrison Supermarkets PLC v Various Claimants  EWCA Civ 2339, that employers can be sued for data […]
On 17 July 2018, the EU and Japan concluded their discussions on personal data transfers and recognised that the data protection regimes between the two are equivalent, which means that personal data will be able to flow freely between them once each side has completed the necessary procedures to adopt an adequacy decision. The agreement is […]
GDPR is finally here. However, this is just the beginning. Most businesses aren’t ready for the changes and, even for those that are, the real test will be whether the policies, procedures and contracts they’ve put into place recently can be implemented and kept going in the long term. For practical advice on what the […]
This month we are delighted to welcome Nick Mathys as a new Partner at Lewis Townsend. Nick is a fluent Japanese speaking commercial, technology and data protection lawyer who brings with him a wealth of experience in both UK and Japanese markets, including many years with Herbert Smith Freehill’s Tokyo office where he worked closely […]