The General Data Protection RegulationRegulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation). (GDPR) celebrates its fifth birthday this month, and what a half-decade it has been for organisations. During these past five years, organisations have had to adjust their business practices to ensure they comply with the stringent rules set by the GDPR. Organisations must consider GDPR and wider data protection obligations as part of their day-to-day business, and ensure personal dataInformation which relates to an identified or identifiable natural person. is collected, stored and processed in a compliant manner.
This blog focusses on several ‘organisational level’ considerations that organisations should consider to become, and then remain compliant with the GDPR, including some examples of how these requirements have evolved over the past five years.
The first step to good data protection practice is knowing what personal data is being collected, processed, and used, and for what purposes. Organisations will need to ensure they have conducted due diligence on whether the personal data collected is special category dataTypes of personal data listed in Article 9(1) GDPR that are considered sensitive and thus require extra protection. Article 9(1) lists data relating to: • racial or ethnic origin • political opinions • religious or philosophical beliefs • trade union membership • genetic data • biometric data • health • sex life • sexual orientation Where these types of personal... or not, as this will impact how the data can be used and the reasons for collection.
Alongside this due diligence, organisations must ensure they are applying the correct lawful basis for processing. Over the past five years, we have seen numerous organisations attracting the attention of supervisory authorities over their choices.
It has taken five years, but organisations are now starting to be held more accountable for the personal data they processA series of actions or steps taken in order to achieve a particular end.. This includes identifying a clear and transparent lawful basis for processing based on guidance released by the various supervisory authorities over the years.
The past five years have seen a myriad of fines and enforcement actions against organisations, encouraging them to ensure that appropriate technical and organisational measures are implemented.
Unfortunately, there is no one size fits all approach, so organisations need to ensure they identify the measures that are relevant to their specific organisation and the type and scale of personal data processed. This includes conducting due diligence on third parties processing personal data on their behalf, therefore ensuring they too have appropriate technical and organisational measures in place.
Appointing a Data Protection Officer (DPO) will assist an organisation to maintain compliance with the requirements of the GDPR. A DPO’s role is to inform and advise an organisation on their obligations relating to compliance, assist with due diligence and risk assessments (like conducting Data Protection Impact Assessments), and act as the point of contact for employees, data subjects, vendors and supervisory authorities on data protection issues.
Not all organisations are required to appoint a DPO. However, they may still benefit from having a knowledgeable and experienced individual in place to offer advice and support on data protection, and therefore assist with improving customer trust, loyalty and engagement. Outsourcing the role to a provider such as The DPO Centre means organisations benefit from a significantly wider pool of knowledge and a proactive resource that avoids any conflicts of interest. Given you use only the resource level required, outsourcing is also significantly more cost effective if a full time DPO is not required.
We have also seen greater levels of compliance with data subjectAn individual who can be identified or is identifiable from data. rights. The GDPR affords individuals eight rights; one of which is Data Subject Access Requests (DSAR). DSARs enable data subjects to gain access to their personal data being processed by organisations. We have seen compliance challenges with this particular right increase significantly in recent years. This may be due to data subjects being more aware of their rights, institutions making it easier for data subjects to gain access to their data, the pandemic increasing awareness, or the recent CJEU ruling stating that data subjects have a right to know who has received their personal data.
The past five years have seen a shift away from hiding data protection practices from data subjects, and more towards an open and transparent approach. Providing accessible and easy-to-read privacy notices and policies enables data subjects to understand what is happening to their data and why, therefore building trust.
This is equally important for employee data. Organisations should ensure that employees are not only aware of why their personal data is being collected and used but also:
Having notices in place comes full circle to the point of ‘know your data,’ and clearly shows that organisations have become more transparent and open about how personal data is being used.
Although the past 5 years have seen considerable progress in respect of compliance with the GDPR, we still have a long way to go. Organisations of all sizes need to do more to progressively improve their compliance in an ever-changing global privacy landscape. This is especially evident with the rapid proliferation of AI (Artificial IntelligenceThe use of computer systems to perform tasks normally requiring human intelligence, such as decision-making, speech recognition, translation etc.) and large language models (like ChatGPT) and their ability to harvest vast amounts of personal data for training – this being something we mentioned in our recent blog. Organisations need to ensure that their utilisation of these new and emerging technologies remains compliant.
Organisations have significantly improved compliance processes over the past five years. We see this demonstrated through compliance being talked about in everyday life and regulatory enforcement becoming ever more prominent. Whether this is due to awareness from data subjects, awareness of the importance of compliance with data protection laws, or the threat of damaging a reputation, organisations have become more diligent in complying with data protection regulation.
If your organisation would benefit from expert data protection advice and support, please complete the form below, and a member of our team will be in contact.
Fill in your details below and we’ll get back to you as soon as possible