Moving on from 25 May 2018
For many businesses, the run-up to implementation of the GDPR on 25 May 2018 will have been a busy time, with a lot done in a short space of time. A year on, in May and June 2019, we held GDPR seminars in London, Bristol and Reading to look back at our clients' learnings and experiences, and also to look ahead to upcoming developments. We were joined by our colleagues Gregoire Dumas, Benjamin Docquir, Laurens Dauwe and Rafael Garcia del Poyo from our offices in France, Belgium and Spain, who gave us an insight into their experiences of GDPR from outside the UK.
This article summarises the key takeaways from those seminars, drawing on the findings from interactive polls during the seminars.
GDPR implementation: painful, but productive
Most GDPR projects had a number of stages: there will have been the initial process of raising stakeholder awareness, securing budget and drawing up a project plan; this was followed by the actual implementation of the plan, usually involving some degree of data mapping, drafting of appropriate policies and procedures, reviewing (and likely amending) contracts, and delivery of training.
All of that work seems to be paying off. At our seminars, virtually all of the audience noted that they have seen at least some change in terms of awareness and compliance with data protection laws in their companies in the last year.
52% of our audience, across the three locations, have seen a significant change in the last year in terms of awareness and compliance with data protection laws."
So, what have we learnt over the last 12 months and what can we expect to see next?
Looking back over a year of GDPR
As with any form of compliance, the job was not done on 25 May 2018, never to be looked at again. The law, and the interpretation of it will change; good practice and market practice will also change; and, importantly, the data processing activities of a business will change.
In our experience, over the last year, businesses have been busy putting their GDPR policies and procedures into practice, moving on from the 'must haves' on their project plans to the 'good to haves' and training / maintaining board level and internal engagement.
Many have also been reconsidering different aspects of their project plans. Was the initial approach too ambitious, and therefore, not (currently) very practical? This is common in the area of data retention, for example. Did the business seek to obtain consent, in circumstances where it didn't need to?
Some areas have proven to be more difficult to put into practice than others. At our GDPR seminars, we asked our audience to choose the three aspects of GDPR compliance they found most challenging; the results are perhaps unsurprising:
67% of our audience in London, 93% in Bristol and 74% in Reading said that creating and maintaining a record of data processing / data mapping was one of the most challenging aspects of compliance."
51% of our audience in London, 48% in Bristol and 56% in Reading chose putting in place appropriate contractual terms to cover the sharing / processing of personal data."
25% of our audience in London, 30% in Bristol and 33% in Reading identified responding to data subject requests."
In terms of complaints, claims and enforcement, until very recently (including at the time of our seminars), there had been little evidence of overt enforcement in the UK (or elsewhere in the EU), although we knew, even then, that there were investigations taking place behind the scenes.
That has changed dramatically in the last week, with news of the ICO's intention to fine British Airways £183,39m, and Marriott International £99.3m, for breaches of the GDPR. You can read more about those headline-grabbing fines, and our thoughts on them, here and here. In time, these cases should provide some long-awaited clarity regarding the ICO's exercise of its enforcement powers.
Aside from ICO enforcement, a worrying trend that we are seeing, here in the UK in particular, is of claimant law firms lining up to advertise post-breach data protection claims on 'no win no fee' agreements. The exercise of data subject rights is also becoming a serious business issue.
You can read more about trends in enforcement generally here.
Data protection is certainly not an area of law that ever stands still.
At our GDPR seminars, we identified some of the key developments to look out for over the next 12 months or so. Here are just a few:
- Statutory Codes of Practice: the ICO is expected to publish four statutory Codes of Practice over the next six months or so, including updates to the existing codes on data sharing and direct marketing.
- Guidance: in its 2019 / 2020 Work Program, the European Data Protection Board sets out a long list of guidelines it is working on, including on the application of legitimate interests, the distinction between controllers and processors, and responding to data subject requests.
- Key sectors / technologies: DPAs across the EU (particularly the ICO) have set their sights on understanding, and better regulating, the use of certain technologies and sectors, including AI, blockchain and adtech.
- Brexit: the implications of Brexit for data protection remain uncertain, but there are steps that businesses should be taking to prepare, irrespective of the outcome (you can read more on that here).
- E-Privacy Regulation: the e-Privacy Regulation will replace the current e-Privacy Directive and the relevant local law implementing legislation, and may – finally – be approaching its final form. It is expected to introduce significant reforms to the rules for processing 'electronic communications data', for using cookies (and similar technologies) and on direct marketing.
We will be keeping on top of all of those developments, and will post regular updates on our dedicated GDPR home page, so please do check back every so often to make sure that you are aware of any changes that could impact your business.
If data protection is just one of many areas of business regulation that you are responsible for, you may like to download, and subscribe to, our Regulatory Outlook.
Where should businesses focus their efforts now?
The GDPR is certainly not old news. The world of data protection and privacy promises to be a busy one throughout 2019 and for many years to come.
To guide you in the coming months, we have put together a handy checklist of things you should be doing now to comply.
If you would like our support in carrying out an annual health check of your business' compliance, with putting any of the GDPR's requirements into practice, or with dealing with potential complaints, claims or enforcement action, please get in touch with one of our experts.