GDPR one year on: What has HR learnt?
Ann Bevitt, May 30, 2019
While there have been few enforcements to date, some important lessons have emerged
To mark the first anniversary of the regulation on 25 May, the EU Commission issued a press release claiming the GDPR had not only made Europe fit for the digital age, but had also become a global reference point. While it's true that the GDPR has changed the landscape in Europe and beyond (see, for example, the new Californian privacy law and the discussions in the US for a federal privacy law), the Commission also recognised that compliance is a dynamic process and does not happen overnight. So how different are things now, one year on?
The impact of the GDPR varies hugely across different organisations. In some companies there has been a complete change in culture around privacy and data protection, with businesses wholeheartedly embracing GDPR compliance. In other businesses, it’s definitely been more of a box-ticking exercise with little to no embedded change in practice.
To some extent the impact has yet to be felt; in that we haven’t yet seen significant enforcement activity. Many supervisory authorities (SAs) have used the one-year milestone to promise that big fines are coming but, in the meantime, what are the key takeaways from the enforcement actions to date?
Ensure consent meets GDPR standards
To rely on consent as a legal basis for processing, it must be specific, informed and unambiguous. But such employee consent is notoriously difficult to achieve given the imbalance of power in the employment relationship. Recent enforcement activity has shown that separate consent must also be provided for each distinct purpose for which data is processed, so consents cannot be 'bundled' together. Requiring individuals to navigate their way through multiple tick boxes (which cannot be pre-ticked), pop-ups, or other consent mechanisms is likely to be unattractive and, as a result, reliance may be placed on alternative legal bases, if available.
Do not keep personal data for longer than necessary
Personal data should be kept for no longer than is necessary for the purposes for which it is being processed. Because of the binary nature of compliance – an organisation either has a retention policy with which it complies or it does not – it is an easy breach for SAs to assess, and so more likely to be subject to enforcement action. To evidence that personal data has been deleted from its systems and backup systems, organisations should maintain deletion logs.
Implement appropriate technical and organisational measures
Appropriate technical measures are essential to keeping personal data secure. The specifics of the measures will depend on the nature of the processing and personal data involved, but there are basic steps that organisations can take to protect personal data. For example, implementing encryption methods can mitigate the effect of a data breach and will be taken into account by SAs when assessing a breach.
Beyond ensuring the integrity of an organisation’s security systems, appropriate security measures will require careful consideration and should be periodically reviewed by organisations, in addition to being front of mind when designing and implementing systems. Making the wrong decision, or failing to make a decision at all, could result in unwanted regulatory scrutiny.
Make use of data protection impact assessments (DPIAs)
The GDPR requires organisations to conduct a DPIA where new technology is involved and, taking into account the nature, scope, context and purposes of the processing, where there is likely to be a high risk to the individual. However, organisations should consider performing a DPIA even where not strictly necessary for the following reasons:
- 'High risk' is subjective and there is always a risk that SAs will reach a more conservative view.
- DPIAs can help organisations understand the impact processing will have on individuals and help determine what information should be provided and how. In that sense DPIAs are a useful tool for organisations rather than a compliance burden.
- As well as creating a paper trail that outlines the decision-making process that relates to processing activities, DPIAs can help cultivate a privacy-friendly culture within an organisation.
- Businesses that are in the habit of performing DPIAs will be better prepared to deal with the queries and investigations of SAs.
In less than a year of being in force the GDPR has already stamped its mark on the privacy landscape. Given the unavoidable lead-in time for enforcement action, it is inevitable that we will see an increase in activity in the next few months. However, it is clear from SAs’ actions to date that companies cannot afford not to try to comply as fully as possible with the GDPR. The top issue organisations now face is keeping abreast of all GDPR developments going forward, such as guidance issued by the European Data Protection Board or local SAs, and enforcement decisions by the latter.
Ann Bevitt is a partner at law firm Cooley