One year on, and it's clear that data protection is not going away.
This year, while we haven't seen significant fines (apart from the measly €50M fine for Google), there has been plenty of regulatory action and enforcement decisions will come across all sectors. Don't make the mistake of thinking that GDPR is done.
It's not, however, about fines and it never was. GDPR is about making organisations accountable for the data that they process.
At the Data Protection Practitioner's Conference in April, Elizabeth Denham (the Information Commissioner) said in her speech:
"Accountability encapsulates everything the GDPR is about.
It enshrines in law an onus on companies to understand the risks that they create for others with their data processing and to mitigate those risks.
It formalises the move of our profession away from box-ticking or even records of processing, and instead of seeing data protection as something that is part of the cultural and business fabric of an organisation.
And it reflects that people increasingly demand to be shown how their data is being used, and how it's being looked after.
But I'll be honest, I don't see that change in practice yet.
I don't see it in the breaches reported to the ICO. I don't see it in the cases we investigate, or in the audits, we carry out.
And you know, that's a problem. Because accountability is a legal requirement. It's not optional."
It's important to note that the Information Commissioner doesn't see the change in practice; and it is the Information Commissioner emphasising that it's the law, not an option.
At DPE we have worked with you for over the last twelve months, to ensure that a baseline has been met, but GDPR and the Data Protection Act 2018 don't require meeting a baseline and moving on, business as usual. There remains an enormous amount of work to win hearts and minds, to change behaviour and working practices.
That is the aim of GDPR - embedding privacy within all business practices, and organisations that embrace the opportunities to transform how they work are not just better at data protection, they see improvements in the way they work and the efficiencies that prevail.
We've seen how some organisations have had significant problems this year - often because of a lack of understanding of the requirements of GDPR, or legacy issues because it's been business as usual. Alongside our visits, remote sessions and workshops, our core DPO team has dealt with data breaches and subject access requests. In total, we've had nearly 1,500 inbound support enquires — some which can be resolved quickly - others which have taken weeks.
Going forward we are providing your organisation with the tools to not only reach and sustain a baseline data privacy programme in your school but the methodology support and content to monitor, assess, report and improve systems, people and processes throughout your organisation. That includes more content in the best practice library and checklists, the Compliance Manager, new short-courses and content on specific hot topics, and the Record of Processing tool that we are launching mid-June.
We also have our workshops, where we'll be going through new content, introducing the Record of Processing tool and gathering your feedback.
We look forward to working with everyone over the next twelve months and beyond. Remember if, you have any questions or concerns, email us:
James England
Director, Data Protection Education