25 Aug 2022 | Articles, Blog, Cyber Security, GDPR

GDPR Adoption…the reality

Howard Freeman

Howard Freeman

It is almost four and a half years since the GDPR became enforced in May of 2018. Since that date, when the world went mad over consent, subscriptions and other connection requests that most of the requestors ignored, we have had Harry and Megan, Brexit, Covid-19 and the prospect of a new Prime Minister as inflation runs wild. Phew! Let’s take a breath. The GDPR is now part of UK law and Brexit hasn’t changed anything.

So, what has been going on in the GDPR world?

We have recently reached out to a cross-section of businesses across the UK. This was designed to help us understand who has done what, in relation to the GDPR.

The survey asked simple but direct questions about what actions businesses had taken to comply with the regulation and whether Brexit has led them to believe that GDPR didn’t matter anymore.

Simply put, it is alarming how little many businesses have actually done. Of the businesses we surveyed, 29% admitted that they had done little more than adding a privacy policy to their website. Some of those admitted that they ‘borrowed’ theirs from another website! It is not the first time we have heard this.

34% said that they had used templates provided by a supervisory body. Another 12% had bought templates to help them but doubted they were compliant. We offered all those we spoke to one of our free GDPR health audits. Those that took up the offer were found to be not compliant, most of them were not even close to compliance. When looking at the work they had done amounted to nothing more than filling in blanks where the company name should be added. This is not GDPR compliance!

Understanding your Data

Data classification was an area that was almost not even considered by most. When we probed further, data asset registers were severely lacking as was any evidence of the data flows being mapped. Very few had considered the risk in their processing and few records of processing were being kept. The subject of data breaches was also discussed and again, very few knew what a data breach looked like and even fewer knew what to do about a breach. Reporting of breaches was better understood but incident severity assessment was not. This has resulted in breaches being needlessly reported to the already overworked ICO.

ICO Data Protection Fee

Speaking of the ICO, I still find it staggering how many businesses are still yet to register and pay the fee. It IS a legal obligation but many feel that they are exempt from the fee when the reality is that not many are. I know many businesses see the £40 as a stealth tax when the reality is that the ICO requires businesses to register and businesses must comply with the law.

Individual Rights and Consequences

The GDPR gives EU data subjects eight rights. However, businesses must understand that these rights are a cornerstone of the regulation. Ignorance of the rights is no excuse for failing to observe them and is a high-risk area where businesses can, and do, run into difficulties with the ICO…and lawyers. Solicitors see data protection law as a cash earner and they are earning now. Once you are contacted by a solicitor on behalf of someone who believes their rights have been violated, be aware that even if you settle, costs can still apply. We all know that solicitors can produce costs that often defy belief! Not all, but some.

Marketing and the GDPR

This is a tricky area for businesses. All businesses are keen to market their products and services and why not? However, there are do’s and don’ts when it comes to the GDPR and the PECR. However, just because an individual or another business has become a client, does not give a business the right to market to that business. Consent is required as being a customer doesn’t mean explicit consent for marketing purposes. Marketing to domestic clients presents a great opportunity to those who have little better to do than harass companies for undeserved compensation. The HGDPR has created a cottage industry for lazy people who want to move from a cottage to a mansion and want businesses to pay for it. Let’s face it, all the lawyers that chased us for PPI had to find a new opportunity and careless businesses who don’t comply with the GDPR are leaving themselves defenceless.

We are seeing ridiculous claims for stress and compensation when, in most cases, the data subject is setting themselves to be set up. We had one character who requested information and subscribed to my clients newsletter. A month later they decided to unsubscribe and be offended by the mailing received. Next, they engage a solicitor demanding all sorts. The solicitors, with their outstanding ability to create costs, end up demanding thousands of pounds in costs for a potential small settlement. Businesses must be extremely careful as the lawyers are hunting for easy prey. On this occasion, we refused to pay the lawyers after using a costs lawyer to ramp up the fees to over £9000.00. It was clearly ridiculous but solicitors are out there waiting for businesses to slip up. If you are not prepared, then defending yourself will be difficult, and potentially expensive.

Data Transfers

Always a tricky one, but, inside the EEA/EU/UK it’s business as usual. However, in the US, things have become more complex. The Privacy Shield was rendered invalid by the European Court. Therefore, data transfers to America now come with complications. SCC’S no longer apply and IDTA’s, International Data Transfer Agreements, are now required. This is not as easy as it sounds but if you are transferring data to the USA, you do need an IDTA. It is worth considering where your CRM or Accounting Software provider process your data. Have you considered this? It is amazing how many businesses fail to realise that their databases, or CRM, are hosted in the far east or India. Have you checked?

Understanding High-Risk Data, or sensitive data, better special category data…

Oh, this one! It still amazes me that businesses don’t understand what special category data actually is. Do you know for sure? Have you categorised your data? If you don’t understand what type of data if you have, it is impossible to assess risk relating to your data processing. It is a legal requirement that you do so. Your business will have an asset register (well you should have one) and a Data Asset Register is where you record your data assets which will include the categorisation of your data!

Sensitive data is clearly defined within the GDPR and it is vital that you and your business understand what this type of data is. You must also put in place extra measures to secure this data and demonstrate how you do this.

Privacy Shield, SCC’s and IDTA’s….

We often hear that transferring data to the USA is fine. We hear that they are our friends but, of course, when it comes to adequacy, the US is not our friends. The European Court rendered the Privacy Shield ‘invalid’ and as such data transfers to non-adequate countries are now forbidden. Have you considered where your mail marketing solution or CRM is hosted? Have you assumed or have you asked the question? It is very easy to inadvertently transfer personal data out of the EEA/EU so care should be taken. There are steps you can take to mitigate this risk, however.

There are many areas I haven’t covered in this article but stay tuned and I will do so over the next few weeks.


Can we help?