25 May 2018 – a date which is imprinted on many people’s memories, as the EU’s General Data Protection Regulation (GDPR) was enforced from this date. Guernsey had of course been busy in the previous two years producing its equivalent legislation, which came into force on the same day. Move the dial forward a year and the impending end of the “transition period” has prompted a fresh wave of work to ensure any items left in abeyance from May 2018 are addressed.
The past twelve months has seen privacy and data protection skyrocket in terms of coverage and awareness. The hottest topics in our digital age, not a day goes by without significant developments occurring somewhere in the world. Privacy is at the forefront of public awareness and a major area of focus for legislative bodies across the world. Once Apple starts making adverts about privacy, you know it is important…
Whilst there was some scepticism as to whether the GDPR standard could extend its tentacles beyond Europe, a significant number of jurisdictions have since reformed their laws, established or overhauled existing regulatory bodies and pushed businesses to take the issue seriously. Regardless of whether this is motivated by economic factors (fear of missing out on technology and trading advantages that the free flow of data provides) or concern for human rights, the momentum is irreversible.
New technologies mean that regulators are constantly playing “catch up”, but there is a clear move towards transparency, choice and “trust”. Market forces are dictating that those who safeguard our data will see more of our business, particularly in the online marketplace.
Take the Facebook/Cambridge Analytica scandal; the fallout prompted the UK Government to commission an investigation into the use of data in political campaigning. We have subsequently seen prosecutions, demands for reform and a global recognition that data misuse is a major concern.
The bewildering, overarching impact of data protection on all areas of our lives means that it is also difficult for businesses to keep up. This does not mean that the basics cannot be done well; indeed building a solid foundation is essential. Finding the time and resource to keep pace with opportunity and change is tough – the Information Commissioner’s Office itself recently commenced a consultation with “Adtech” businesses in order to better understand the issues arising and current practices. The amount of processing taking place “behind the scenes” in order to generate a relevant “pop up” advert on your device’s screen is fascinating, but (at present) fairly opaque.
This state of flux is reflected in the development of the local marketplace. Initially, the focus was on ensuring that the customers’ data was protected and the business’ infrastructure was reviewed and policies updated. Since then, the focus has turned towards the supply chain – what measures of protection are in place when dealing with outsourced service providers, suppliers and other third parties? One only has to mention “Target” to remind people of the importance of ensuring that your own security measures are only effective if mirrored by suppliers. We have been working with clients to update and overhaul existing contractual arrangements to ensure supply chain measures are robust.
Cyber security concerns are endemic, and rightly so. However, there are many simple steps that businesses can take to ensure a basic level of security and mitigate the risks to a manageable level. As Guernsey’s Data Protection Authority noted in its recent newsletter, most of the data breach issues they are seeing arise from human error. These include using incorrect email addresses, sending the wrong attachment and failing to “blind copy” addressees to emails. These are essentially issues of awareness and training. Phishing emails continue to be a big threat, and there are of course nation states out there employing factories of hackers to try to breach our collective defences, but it is often these basic errors that are the most costly.
We have also seen a rise in the number of Data Subject Access Requests (DSARs). There is a measure of trepidation around handling one correctly, given their novelty for some businesses. There are many misconceptions around DSARs which persist, despite case law to the contrary (you are not automatically entitled to a copy of every document on file, for example). It is important to establish a process and take advice (if needed) on your approach to responding to DSARs, as it is easier to apply good practice (and eliminate errors) and embed it if the approach is correct at the outset. It remains to be seen whether DSARs will remain “popular”, but we are increasingly seeing them used as a tool by disgruntled employees, so expect more on that front!
The next few months will be interesting, with transition coming to an end and the Irish Data Protection Commissioner confirming that there will be some announcements over the summer in relation to their investigations into Facebook (and others). A lot has happened in the past twelve months, there is similarly a lot on the horizon for the next twelve months – watch this space!