Over one year ago, on May 25, the new GDPR standards were set, sending many organisations into a frenzy to ensure they were dealing with sensitive data in the correct way. Twelve months on, Mark Harper of HSM asks whether the UK has adapted well to these legislations or whether standards are slipping.
The 25 May 2019 marked one year since the new GDPR laws were enforced upon the UK and Europe. These updated legislations were introduced to give individuals more control over the personal data companies hold and how they handle it. So, has this changed the way organisations are operating?
Well, over the past year, it’s safe to say data handling is different. In fact, there’s almost no doubt that organisations have changed the way in which they operate, with ‘Data Officer’ becoming a more proficient job title as GDPR is more commonly understood. It was only last year that some business owners and their employees would struggle to tell you what GDPR stood for, let alone what it meant to their business.
Aside from this, the fact that home and office shredder sales have increased across the globe in the last year also shows the shift in attitude towards the new standards and suggests a willingness from organisations to sharpen up their data handling processes.
Although the education on this subject has evidently improved, GDPR compliance requires ongoing attention, which brings its own set of challenges. So, with that in mind, are we in danger of standards slipping only one year on?
ICO Action
In the last year, the Information Commissioner’s Office (ICO) has been closely following those who are failing to remain compliant for GDPR.
As we’ve seen, if an organisation fails to handle an individual’s data correctly, it can be fined.
In the last year alone we’ve seen over 200,000 individual cases reported. No business is immune either, no matter the stature or the sector it operates in. Our own National Health Service (NHS) has suffered investigations and fines across the last 12 months. These investigations span as far back as May 2018, after a London Medical Centre left sensitive paper documents containing medical records in an empty, unsecured building.
Paper documents continue to be an underlying issue for those trying to follow data protection procedures. A common misunderstanding is that digital data should take precedent when dealing with GDPR. This isn’t the case, with paper documentation posing just as much of a threat as that of digital data. Organisations must continue to update their physical data destruction methods to ensure they remain compliant and avoid making the same mistake as the aforementioned NHS Medical Centre.
Moving forward with GDPR
It’s clear to see why the thought of large fines captured that attention of so many last year. However, a fear of fines won’t always carry the same weight as they once did. Data protection has continued to evolve since the GDPR enforcement date and with the grace period now well and truly over, companies are now faced with the important task of up-keeping company-wide standards to continually meet the new regulations.
The importance of recognising GDPR as a developing project was reinforced by Information Commissioner Elizabeth Denham in last month’s annual DPPC, hosted by the ICO. “I believe we’re entering a new stage in GDPR’s development”, she stated. Denham went on to explain how companies must understand the risks that they create when processing data and how this should move us away from the ‘box ticking’ view that many see GDPR as.
The underlying point that’s consistently made is that companies must see GDPR as an ongoing operation. It’s never really been enough to just tick the box. Instead, organisations should inject effective GDPR processes into their business procedures, with a view of acting responsibly as opposed to the fear of fines. Yet, this isn’t necessarily the straight forward task that some believe it to be – even for those that already have firm data protection systems in place.
What may have worked for an organisation a year ago may not be as effective today or five years down the line. This is especially true for growing or larger organisations that tend to handle a large amount of data. Take into consideration the sheer number of paper documents that some UK organisations and their employees are handling alone. A recent report found that the average company is holding more than half a million sensitive files, with 17% of those files accessible by every employee. Whether digital or hard copies, this poses an issue and a huge number of potential ‘slip-ups’.
Investing in responsibility
For any continual data protection process, investment is key. Investment in the correct practices and employee education should be a recurring process to ensure a business is operating as it should be, all year round.
Referring to the previously mentioned NHS case, a misplaced and forgotten printout was the cause of an investigation and could have easily been avoided by implementing the correct procedures associated with physical data destruction. An organisation’s operations can change, whether location, staff or everyday procedures – and with this, effective paper document destruction should be routinely addressed.
To combat this, regular audits should take place, ensuring all current procedures are working effectively. Both existing and new employees should consistently know how to remain compliant and what their role in data protection is, should that be shredding paper documents at their desk or collecting small quantities in regular intervals to be destroyed at a communal office shredder.
So, as many professionals are pointing out, GDPR is still developing and organisations will need to keep up if they aim to continue acting responsibly.
Those who manage to change their company culture so that the responsibility of GDPR lies with the organisation as a whole and not just individuals are likely to prosper. This, paired with continued investment in procedures and employees, will help to keep the UK’s standards from slipping for years to come.