Data Privacy, Protection and Security In 2018

Published on: 4th January 2019

The Data Protection Act 2018 and GDPR both came into force in May 2018 amid widespread confusion about what could and should be done to achieve "compliance". Guidance was initially rather limited and high level, with much work to be done on setting detailed standards for best practice. Since May the ICO have continued to elaborate and explain their expectations both in guidance and advice documents, and through the detailed judgments regarding breaches that appear regularly on their website.

Perhaps the biggest impact (one that the ICO deliberately intended) has been the raising of public awareness of personal data issues. Long-running sagas like the Facebook data scandal, high profile breaches like those experienced by British Airways, and highly emotive stories around public service data breaches in health, law and social care have ensured almost daily headlines in the press. The deluge of GDPR stories promised by commentators has certainly materialised, maybe not in quantity, but certainly in scale.

Harder to judge is the impact on small businesses. Many are still working on the "wait and see" principle, and either don't believe that DPA/GDPR really applies to them, or are waiting for someone to complain before taking action. The trickle down effect of the responsibility of major contractors to be GDPR compliant across their supply chain has prompted many smaller suppliers to address their GDPR issues in order to continue to trade with larger contractors. Measuring the scale of this response is extremely difficult however.

Still the best advice is to "make a start", and to investigate what data is held in a business and define how it is looked after; including identifying WHY the business has the data in the first place. As with any new regulation, responding to the new requirements is far harder for existing businesses than for new start ups. Clearing up years of poor practice or complex existing systems inevitably takes time and money, which is always in short supply for tasks like this that have no apparent financial gain attached. Even the risk of fines may not be sufficient motivation to address these issues.

What is clear however is that the ICO is not prepared to tolerate ignorance and denial. The biggest reprimands and fines are for those whose lack of attention to data protection has been either wilfully negligent or deliberately contravening the regulations. The best defence against breach and fines is always preparation, even if it's still in its early stages. Getting started on the journey can begin with very small steps. You can read more about how to do this here.

PYXI GDPR Team: 4th Jan 2019 07:59:00