Unless you’ve been living under a rock, you’ll be aware of the General Data Protection Regulation (GDPR) which came into force on 25 May 2018.
Whilst businesses rushed to complete their GDPR implementation projects, there was a sense that come 25 May, everyone will breathe a big sigh of relief and things will die down again. I expect you’ve realised that this isn’t the case. Privacy hasn’t gone away, and it won’t do. With more stringent obligations on controllers and legal responsibility for processors, privacy should remain at the forefront of every business owner’s mind.
This blog will outline why data protection compliance is here to stay and will give you an idea of the things you will need to think about going forward.
1. A privacy culture
Privacy will continue to grow in importance as technology booms and businesses find new ways and purposes of processing personal data. Ongoing privacy governance, policies and procedures need to be maintained and reviewed on an ongoing basis. Essentially, this means that whenever you are designing new products or services, implementing new software, undertaking processing activities or engaging a third party to process personal data on your behalf, you will need to do so with privacy in mind, by default. This can only be achieved by creating a culture of privacy within your business.
2. Privacy has become a critical part of closing a deal
Some businesses (particularly smaller ones) have attempted to hide behind the premise that “the ICO won’t come after us, they’ll be after the Facebook’s and the Cambridge Analytica’s of this world” to avoid taking the GDPR seriously. Whilst it may be true that bigger corporations are more likely to be on the ICO’s radar, privacy has become a commercial imperative. Businesses that cannot answer privacy compliance questions will find it increasingly difficult to close deals and those that fall foul of their contractual obligations are likely to face an ugly claim for damages.
3. The future looks murky for international data transfers
Transfers of personal data outside the EEA to other worldwide territories (particularly to the US) have received scrutiny in the Court of Justice of the European Union. After the declaration of invalidity of the Safe Harbour Agreement, it has been questioned whether the Privacy Shield and the Model Clauses sufficiently protect personal data being transferred outside Europe, and their validity too, is being questioned by the Court. Beyond this, the European Commission is reviewing the ‘adequacy’ status of countries currently deemed safe to receive EU data. Businesses that rely on these transfer mechanisms should therefore pay careful attention as the playing field is likely to change in the near future.
So, to take away – you need to remember that the GDPR is not a one-off compliance effort. On the contrary, it is a continuous process that will need to be constantly evaluated and one that will evolve over time. Privacy hasn’t gone away since the GDPR came into force and it’s not going to. Privacy is going to continue to present challenges to businesses and these challenges need to be embraced. The GDPR has been extremely helpful in raising awareness, but businesses will need to ensure that they innovate, grow and compete amid this new regulatory landscape to build trust, manage risk and win business.