Just over 12 months ago, on 25 May 2018 to be precise, the European Union’s all-new General Data Protection Regulation (GDPR) standards were set in stone and enforced, sending many organisations into a frenzy to ensure that they were dealing with sensitive data in the correct way. Here, Mark Harper determines to find out whether the UK has adapted well to the legislation or if standards are already beginning to slip below the required levels.
Saturday 25 May 2019 marked one year since the new GDPR laws were enforced upon the UK and Europe. The upgraded legislation was introduced in the main to give individuals more control over the personal data companies hold and how they handle it, but has this changed the way in which organisations are operating?
Well, over the past year, it’s safe to say data handling is different. In fact, there’s almost no doubt that organisations have changed the way in which they operate, with ‘Data Officer’ becoming a more prolific job title as the GDPR is more commonly understood. It was only last year that some business owners and their employees would struggle to tell you what GDPR stood for, let alone what it meant to their organisation.
Aside from this, the fact that home and office shredder sales have increased across the globe in the last year shows the shift in attitude towards the new standards, while also suggesting a willingness on the part of organisations to sharpen up their data handling processes.
Although education on this subject has evidently improved, GDPR compliance requires ongoing attention. This brings its own set of challenges. With that in mind, are we in danger of standards slipping only one year on?
Action by the ICO
In the last year, the Information Commissioner’s Office (ICO) has been closely following those who are failing to remain compliant with the GDPR.
As we’ve seen, if an organisation fails to handle an individual’s data correctly, it can be fined. In the last year alone we’ve seen over 200,000 individual cases reported. No business is immune, either, no matter its stature or the sector in which it operates. Our own National Health Service has suffered investigations and fines across the last 12 months. These investigations span as far back as May 2018 after a London Medical Centre left sensitive paper documents containing medical records in an empty and unsecured building.
Paper documents continue to be an underlying issue for those trying to follow data protection procedures. A common misunderstanding is that digital data should take precedence when dealing with the GDPR. This simply isn’t the case, with paper documentation posing just as much of a threat as that of digital data. Organisations must continue to update their physical data destruction methods to ensure they remain compliant and avoid making the same mistake as the aforementioned NHS Medical Centre.
GDPR: Moving forward
It’s clear to see why the thought of large fines captured the attention of so many last year. However, a fear of fines will not always carry the same weight as it once did. Data protection has continued to evolve since the GDPR enforcement date and, with the grace period now well and truly over, companies are faced with the important task of upkeeping company-wide standards to continually meet the new laws.
The importance of recognising the GDPR as a developing project was reinforced by Information Commissioner Elizabeth Denham in last month’s annual DPPC hosted by the ICO. “I believe we’re entering a new stage in the GDPR’s development,” said Denham, who went on to explain how companies must understand the risks that they create when processing data and how this should move us away from the ‘box-ticking’ view of the GDPR for many.
The underlying point consistently made is that companies must see the European Union’s GDPR as an ongoing operation. It has never really been enough to just tick the box. Instead, organisations should inject effective GDPR processes into their business procedures with a view to acting responsibly as opposed to merely fearing fines. Yet this isn’t necessarily the straightforward task that some believe it to be – even for those that already have firm data protection systems in place.
What might have worked for an organisation a year ago may not be as effective today or five years down the line. This is especially true for growing or larger organisations that tend to handle a large amount of data.
Take into consideration the sheer number of paper documents that some UK organisations and their employees are handling. A recent report found that the average company is holding more than half a million sensitive files, with 17% of those files accessible by every employee. Whether digital or hard copies, this poses an issue around a huge number of potential ‘slip-ups’.
Investing in responsibility
For any continual data protection process, investment is going to be absolutely key. Investment in the correct practices and employee education should be a recurring process to ensure that a business is operating as it should be for the entire year round.
Referring to the previously mentioned NHS case, a misplaced and forgotten printout was the cause of an investigation that could easily have been avoided by implementing the correct procedures associated with physical data destruction.
An organisation’s operations can change, whether in terms of location, members of staff or even everyday procedures. Given that’s the case, it stands to reason that effective paper document destruction should be routinely addressed.
Regular audits should take place, ensuring that all current procedures are working effectively. Both existing and new employees should consistently know how to remain compliant and what their role is in the data protection process, whether it be the need to shred paper documents at their desk or collecting small quantities in regular intervals to be destroyed at a communal office shredder.
As many professionals are pointing out, the GDPR is still developing and organisations will need to keep up if they aim to continue acting in a responsible manner.
Those who manage to change their company culture such that the responsibility of the GDPR lies with the organisation as a whole and not just individuals are likely to prosper. This, paired with continued investment in procedures and employees, will help to keep the UK’s data protection standards from any unwanted slipping.
Mark Harper is Head of Sales at HSM