What have we learned since the introduction of General Data Protection Regulation on 25th May?
Firstly, it is clear that we must continue on the GDPR journey, this isn’t something which can be ticked off and forgotten about. We suspect there is room for improvement within most organisations, large and small on their data privacy processes.The landscape is constantly changing with some previously grey areas now being clarified by the ICO, and likely continuous updates to keep everyone on their toes.
The ICO Guide now includes specific sections for the GDPR’s core data protection principles (Article 5 GDPR): lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality (security); and accountability.
The new sections include guidance and practical examples which explain what these principles mean, as well as their correct and incorrect application. Checklists are given as a quick point of reference to clearly outline key considerations organisations may need to take when implementing measures to ensure adherence to the principles above.
Right of erasure
The updated guidance emphasises the need to ensure erasure of data from backup systems as well as live systems, so maybe those tape or CD archives in your storage warehouse will see the light of day again after all.
In the news
Tim Cook (Apple, Chief Executive) recently spoke out about the role of the GDPR in protecting fundamental human rights.
“This year, you’ve (speaking in Brussels) shown the world that good policy and political will can come together to protect the rights of everyone,” he said.
“It is time for the rest of the world, including my home country, to follow your lead. We at Apple are in full support of a comprehensive federal privacy law in the United States.”
It was inevitable that Facebook would become the first big target for Europe’s new data privacy rules, and initial reports expected the maximum fine to be imposed for the Cambridge Analytica scandal. Under GDPR, the maximum fine would have been £17 million ($22 million) or 4 percent of Facebook’s global turnover, but they have escaped with a tiny £500,000 fin which was for some reason, calculated using the outdated 1998 Data Protection Act.
The Tories are likely to avoid any action as a result of the high profile data breach at their party conference, caused by a security flaw with an app.
Read more here:
It would appear that the GDPR has already had a really positive impact on reducing unsolicited marketing, and newsletter unsubscribe systems seem to be a little more reliable. It’s also great to see how different organisations have implemented far greater control to manage email preferences, and we’re noticing more and more are following suit to give their subscribers more control.