GDPR was 2018's greatly anticipated house-guest. Some organisations (often the most house-proud) rushed around frantically, straightening their privacy notices; clearing out the old retention policies and bringing in brand new ones; even giving their international transfers arrangements a once over. Others were still hoovering after GDPR arrived and there were even those who turned off all the lights, lowered the blinds and pretended to be out.
Now the international body representing data protection regulators in the EU and further afield, the GPEN, has been around to carry out an inspection, running its white gloved fingertip along the top of global data privacy compliance's mantlepiece (a survey of 356 organisations across 18 countries). It has now reported on its findings.
For those businesses wanting to review progress since last year, or even those who secretly know that they shoved various problem issues down the back of the sofa and would like to be able to sit a little more comfortably, the report highlights a number of areas that it would be sensible to focus on in the months ahead:
1/ Self assessments and internal audits. Most businesses will have committed to regular (annual) reviews of GDPR compliance as a part of their readiness projects last year. But around a quarter of respondents admitted to having no programmes in place to pursue these vital aspects of continuing compliance.
2/ Training. Having provided training in the run up to GDPR and also to new joiners since last May, businesses were generally reported to have done little to follow this up. It is important to schedule regular refresher training for existing staff, not least because this is an evolving area with fresh guidance emerging from regulators and the courts all of the time.
3/ Responsibility. Over a quarter of organisations responding had failed to appoint an individual or team to ensure ongoing compliance with the rules. It won't be appropriate for every organisation to appoint a DPO, but every organisation needs to identify who will take responsibility for adherence to data protection, and to identify who this is in their privacy notices.
4/ Breach readiness. Although more than half of the organisations who responded said that they had appropriate record keeping and incident response procedures for data breaches, an alarming number had no procedure in place at all to respond to a data breach. Given the limited time-frames for reporting breaches, this is not something that can be figured out on the fly, after a breach has happened.
Finally, although it wasn't a feature of the GPEN survey, there have been separate reports in the UK of concerns over the quality of a lot of the advice that was given in the lead up to last May, often by non-specialists who lacked a proper grounding in the technicalities of data protection law. If your business is concerned about this, it is probably something to have looked at as part of your review process. Far better to identify problems now rather than sweeping them under the carpet where they may get tripped over as part of an audit or due diligence.
Happy spring cleaning!
The U.K. Information Commissioner’s Office released the results of the Global Privacy Enforcement Network’s annual report. The “GPEN Sweep” examined 356 organizations in 18 countries around the world to see what they have done to comply with data protection laws. The GPEN found many organizations had insufficient measures to monitor their data protection practices, as a quarter of respondents said they did not have a program in place to conduct self-assessments or internal audits. ICO Head of Intelligence Adam Stevens said, though organizations "have a good understanding of the basic concept of accountability, in practice there is significant room for improvement."