The Accountability principle
When the General Data Protection Regulation (GDPR) came into force in May 2018 it introduced a new data protection principle: Accountability. This new principle requires organisations to be able to demonstrate their compliance and introduced a number of new obligations from carrying out DPIA, reporting breaches to documenting your data processing activities (so you have that to hand if the ICO should ask).
But, that’s not all. Article 24 of the GDPR, when talking about a Data Controller’s GDPR obligation says Controllers need to “implement appropriate technical and organisational measures” to ensure and demonstrate compliance and that “those measures shall be reviewed and updated where necessary”.
What this means in practice will depend on your organisation. Arguably you should be ensuring GDPR compliance on a daily basis, but for most organisations at the very least GDPR compliance should be kept under review at “appropriate intervals” (according to the ICO).
So, this means that you should be on a regular basis (probably annually) make sure your processes are up to date and reflect your current data processing activities.
In todays “new normal” this is more important than ever! So, here are three reasons why you should be considering reviewing your GDPR compliance right now – if one or more of these applies, you really should be meeting your Article 24 obligations:
1. It’s two years since GDPR came into force
Believe it or not GDPR came into law over two years ago (on the 25th May 2018 to be precise). If you’ve not looked at your GDPR since, or at least not considered whether it needs updating, then you really out to check you’re still compliant.
2. Has your business changed?
If in the last two years your business has changed or since you last checked your GDPR compliance, you business has changed, you should be reviewing your GDPR compliance. Right now, this could be because:
- Coronavirus has meant you’ve changed the products or services you provide
- Coronavirus or otherwise, you’re doing things differently now (introduced new systems, new processors, etc.)
- You’ve taken on more staff (remember there are some Accountability principle obligations that change if you have over 250 employees)
- You’ve had to let staff go – so is GDPR compliance still being taken care of?
3. The “new normal”
Coronavirus has certainly served us a curve ball. We’ve had to think on our feet in terms of what we offer and how we work. There’s a number of things you may have changed recently thanks to COVID-19 that require you to look again at your GDPR compliance:
- Your employees are working from home either on a more permanent basis, or you’re more flexible for home working – have you made sure this is GDPR compliant?
- You’re using video conferencing (e.g. Zoom) more often rather than meeting people in the flesh
- Employees are returning to work and you may be having to deal with temperature checks or the NHS Test & Trace programme if someone isolates having tested positive
I think the key thing here is that in the recent past, whilst we’ve been in lockdown, there’s been an element of us doing our best in the circumstances and that may be a good excuse if things aren’t quite right, but as our new ways of working become more normal, there is likely to be less acknowledgement or excuse for doing your best, and more focus on this being the new normal and you now need to make sure you’re getting it right – excuses won’t do for much longer
4. Brexit-proper is coming
From 1st January 2021 the Brexit transition period will have ended and the UK will have properly left the EU. From a GDPR perspective there are some challenges, particularly if you target EU citizens and/or process EU citizen data on behalf of EU organisations. Furthermore, there are implications around the GDPR “one stop shop” for enforcement, EU and UK representatives and questions about whether the EU will grant the UK GDPR as being adequate. You need to prepare now for what this might mean for your organisation come 31st December 2020
5. Elements of the law change
Whilst it can be argued, particularly in the UK that very little enforcement action has been taken under GDPR (there has only been one GDPR enforcement so far) the recent ICO annual report indicates they’re not sitting idle and keeping busy. But that’s not all:
- Guidance and interpretation changes from time to time
- The ICO sometimes produces more detailed guidance, or codes of practice (e.g. on marketing, on services aimed at children, etc.) that might apply to you
- A recent legal case has meant there are now questions about using US data processors
If you’re not up to date on any new developments or changes and haven’t updated your internal processes, staff, etc. then your GDPR compliance may well be out of date
We’re here to help
Get a 3 month “review and do”
If you’re GDPR compliance needs a refresh or a review, sign up for our “review and do” service – this is a 3 month subscription to our GDPR UNLIMITED helpline where we use the “hands-on” hours (4 per month) to carry out a review, report on our findings and help you implement the recommended actions. Not only is this a cost effective way to review your GDPR compliance but it helps you spread the cost as well and you get access to our online resources and unlimited email/phone support (although we can of course carry out a standalone review and report as well). If this is of interest, you can sign up for the 3-month “review and do” here, or find out more about our services here or just set up a call for us to have a chat about your GDPR compliance and how we can help
Get up to speed and learn the GDPR detail
If you’re looking to get back up to speed with what GDPR compliance is all about, we’re re-running our 10 week GDPR Weekly Workout. Starting on the 7th August with a free GDPR refresh session, we will look, week by week at the various elements of GDPR in detail. You can find out more about our GDPR Weekly Workout here and sign-up for all 10 sessions, for a discount (and spread the cost), here.
Or just simply get in touch with us, for a chat.
Providing cost-effective, simple to understand and practical GDPR and ePrivacy advice and guidance, via my one-stop-shop helpline. I ❤️ GDPR