“The UK Government has made it clear that they want Britain to be a place where companies can transact digital business. GDPR will be a vital component of the strategy. On leaving the European Union, a new law came into force that contains the EU GDPR, the PECR (Privacy and Electronic Communications Regulation (2003)) and the Data Protection Act of 2018. This is now better knowns as the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019.
“Regulators are taking external factors into account and adjusting accordingly, namely the pandemic. However, this is only where applicable. What organisations cannot rely on are affected individuals being as forgiving. With group actions and the GDPR allowing individuals to make claims for their data being breached, there is a very real possibility that these will hit organisations harder than regulatory fines.
“In 2021 and with the end of the pandemic looming, now is the time for organisations to learn the lessons from others who have fallen foul of the GDPR to date. Therefore, focusing on data protection practices and making compliance a habit goes a long way in avoiding the full ramifications of a data breach.
“The GDPR dust settled throughout 2018 and the needs of business’ data processing became clearer. Fake news around the GDPR has not helped with rumours and misinformation distracting business leaders away from the real requirements. Many thought they were exempt and without really checking, did nothing whatsoever. The GDPR does address the needs of individuals who have the right to have their data protected and not sold or abused. In the case of the latter, the purpose limitation principle has been excellent though often ignored by many businesses.
“An area of the GDPR often abused is the Data Subject Access Request right.. They may be being difficult for the sake of it or trying to use the right instead of open disclosure for legal cases. The disappointment has been the ICO being overly keen to support individuals in this case. Business has the right to refuse a DSAR and the ICO should support this.
“The top five breaches include Google, H&M, TIM Telecom, British Airways and Marriott Group. Two of the were actual data breaches. The other three were not. These were due to poor practice. Therefore, you might ask, why were they fined? Regulators are focussing on culture, not just data breaches. However, in all cases it was clear that the businesses concerned were all guilty of poor processes and a non data safe culture”.