GDPR a year on: Have businesses woken up?
It’s been almost a year since the General Data Protection Regulation (GDPR) came into force. Sooraj Shah ﬁnds out how companies have coped with the new rules, and what processes they have put in place in order to comply.
After endless conversations and debates, an excessive amount of information and media scaremongering, GDPR ﬁnally came into force on 25 May 2018.
In the months since, businesses have been keeping a close eye on how the legislation will play out, and whether organisations are going to be hauled over the coals on a regular basis. A quick look at the €50m (£43.7m) ﬁne towards Google suggests that regulators are taking the legislation seriously, but will smaller enterprises also face sanctions, and have they got to grips with data privacy and protection?
Mojo Mortgages, a mortgage and insurance broker that holds both personal and sensitive information, completed a gap analysis against the changes brought in by GDPR and the way the company had been operating to date.
Lisa Elmsley, head of ﬁnance at the company, says that, operationally, there was little change to policy and procedures, and that the main changes implemented by GDPR empowered customers to have greater control over their data.
“In reality, these controls were always in place, but perhaps not as transparent as they are now. We needed to update our processes for capturing consent and evidencing this.
“There were slight amendments needed to documentation so that we are able to properly evidence compliance with our data protection obligations, but day to day not much changed,” she says, adding that the principles of data protection remained very much the same prior to GDPR: only collect the data needed, look after it and don’t misuse it.
Phil Everitt, data protection adviser and MIS & projects manager for rugby union club Leicester Tigers, echoes Elmsley’s view: GDPR has essentially “tightened things up”.
“It hasn’t changed the principle of data protection but it has taken it to the next step; we welcomed it, as it is essential for customers’ trust more than anything else,” he says.
John Visneski, head of security and data privacy at The Pokemon Company International, which has 600 employees and a London oﬃce, says that his team was well positioned to gear up for GDPR because of its work with child online privacy protection.
Getting some assistance
While Leicester Tigers initially thought it would manage GDPR internally, it quickly became apparent that reading the regulations alone led to more questions than answers.
“The GDPR regulations are not black and white – they are grey in some areas, so we needed some expert advice,” Everitt explains.
After speaking to other sports teams, Leicester Tigers selected ThinkMarble to work with – one of the key reasons being that it had an in-house data protection lawyer that could give the club deﬁnitive answers to its questions.
As part of the process in getting up to date, Leicester Tigers answered an online questionnaire that took Everitt’s colleagues through every aspect of GDPR, and then produced a report highlighting all the areas of GDPR that the company has looked at.
“Red is ‘danger’ that needs to be sorted straight away, green is something you already have in place that is working and amber is something that needs work – this allowed us to go to the board of directors and say where we’ve fallen short and where we’re doing okay,” he says.
For Mojo, the move didn’t take long from an operational perspective, but ensuring that there were no gaps in its processes and documentation was time-consuming and challenging.
“We reviewed our current processes for things like subject access requests and made tweaks to them, but there were no major changes required,” Elmsley explains.
The Pokemon Company’s Visneski adds that GDPR has improved the company operationally because of the visibility of data.
“I can’t protect personal information if I don’t know where it lives, and I can’t protect the enterprise unless I know where my vulnerabilities are. Being able to get that visibility into where the data is, how we’re using it and where our vulnerabilities are allows us to be better at having a privacy programme that is actually eﬀective,” he says.
For Elmsley, the changes brought in by GDPR served to validate the company’s existing attitude towards data protection.
“Operationally, the majority of the practices included in GDPR should have already been in place with most ﬁrms. We viewed it as a positive move as it validated our existing approach and brought more transparency for customers as to how ﬁrms are supposed to treat their data,” she concludes.
Sooraj Shah is a freelance journalist