A couple weeks ago, while watching a presentation at a conference, attendees remarked that they had prioritised areas of focus to get them over the finishing line with their GDPR compliance, but there was a lingering sense that there was yet more to be done. This view was confirmed by the results of research carried out which addressed participants at the recent conference. The results showed that 43% of respondents had to embark in substantial work to meet the requirements of the new GPDR legislation but 48% are still not entirely sure how these will tie in with new upcoming regulatory and legal changes, including ePrivacy. With regards to the latter, 44% of the respondents stated that they were unaware of whether new legislation would apply to them, or not.
Furthermore, 38% of respondents outlined how they are – or will be – deploying internet of Things (IoT) or Artificial Intelligence (AI) based tools, which will need to meet both GDPR and highly ethical standards.
This all leaves one lingering question – where do we go from GDPR?
Before you can answer this, it’s important to understand that the GDPR is a journey, one which only started on 25th May. As a result, companies should be reviewing their current position and focusing on some, if not all, of the following:
Third party contracts:
- This is probably an area that many organisations have approached using a risk-based methodology, concentrating on reviewing the most relevant contracts first. However, now is the time to look at warranties and liabilities very carefully, depending on the controller / processor relationship.
Record of Processing Activities:
- Most organisations I have worked with have put a lot of effort into this essential requirement. Ensure these tools are not abandoned but kept alive and updated.
- Although the ePrivacy regulation is currently stalling in the European Parliament, I advise that businesses start to investigate the requirements of the proposed legislation to ensure you are ready to start embedding compliance from the get go
Training and awareness:
- Companies must make sure staff are trained, with regular top-up sessions to ensure ongoing awareness. It is not by chance that 42% of our respondents identified this as a key challenge for the future. It is important to review the preparedness of team members and test them regularly. I always recommend that you bring GDPR and data privacy to life through real cases to make it relevant and interesting to employees.
Data Protection Impact Assessments (DPIAs):
- Furthermore, companies should keep an eye on the regulator (or regulators, if they operate across the EU), as they are specifying what they deem as high risk and require a DPIA to be conducted
On top of all the above, companies working at an international level need to ensure they follow local developments and pay close attention to data protection authorities at the EU Member State level. This is an important piece of work which will allow businesses to operate in full accordance with the law.
It seems that there is always something more to be done, and while no-one said that it would be easy, ensuring you are following data protection best practice is an ongoing and exciting journey. There will be bumps in the road, but those that embrace it fully will be able to gain a competitive advantage, grow their reputation and build consumer trust.
Thanks for Reading!