To be compliant in time for the 25th May 2018, some companies scrambled to ensure their processes were fit for purpose. There was a lot of uncertainty about the specifics of GDPR and what would happen if companies fell short.
Some companies are still in the dark about GDPR:
Almost two months after GDPR went live, companies such as Facebook, Google and Amazon may not be meeting the necessary GDPR requirements. In fact, on the day the legislation came into effect, Facebook and Google had noncompliance actions filed against them.
In the UK, Ticket Master revealed there was a data breach affecting 400,000 customers in the UK. However, the ICO is yet to decide on which legislation this applies to as the breach took place from February to June 2018. Could this be one of the first companies to be hit with the €20 million fine?
Individuals are up to date on their rights:
The ICO recently released their annual report for 2017/18. The report saw a 14.5% rise in complaints highlighting an individual’s awareness of their rights under GDPR. What is still unclear is if there are more or less breaches taking place. With the changes under GDPR, there has been an increase in transparency. The report revealed that self-reporting, now mandatory under GDPR, had risen by 29%.
Until we see the first fines and penalties imposed on companies it is unclear how far-reaching GDPR will be.
So, what can companies do to make the transition a smoother one?
- Get senior management buy-in: Making sure senior leadership is aware of GDPR and understands how it will affect their business will ensure there is full company buy-in and understanding.
- Review your Data Protection Act policy: Carry out an audit and record what data your company holds, where it is sorted, who the data is shared with and how secure it is. This will create a solid grounding for being GDPR compliant.
- Ensure staff receive training on data protection and cyber attacks: When a cyber attack is successful, it is not the policy or procedure that fails, it is the people within a business.
- Consider and record the business’ legal basis for processing data: Once the audit is carried out and you are aware of why your company holds the data, it will be easier to identify any legal obligations on the road to becoming GDPR compliant.