Written by Anthony Fraser
The May 25th deadline for GDPR has come and gone and for most people the most tangible aspect was probably the flurry of emails they received in the run up to the deadline containing privacy notices from companies they had forgotten they had signed up with in the first place. Brief coverage of in the news over the go-live period highlighted that the majority of members of the public were unaware of what GDPR stood for or what it meant for them. This may well have been the first and last that they will hear about GDPR, and for companies, it may be tempting to think that the hard work is done and it is back to ‘business as usual’.
This typifies the confusion about what GDPR means in practice; the reality is that the practical ramifications of the new regulations are only likely to become apparent over time.
We can all read the GDPR regulations; the Information Commissioners Office have provided a number of straightforward guides to the regulations: click here to read them. However, once you get into the detail of the new rules they can have some pretty significant practical implications, and while companies have put in place procedures to reflect the rules, I suspect these are to a greater extent untested.
For example, amongst the many emails I received last week was one from a major company I have not had dealings with for a couple of years. So I wrote to them asking for them to delete my information save for what they need to keep for legal or equivalent purposes. One month later I am still waiting for their response!
The more clued-up companies, particularly those whose business models depend on our personal data, are clearly giving this area more thought. Still, based on personal experience it is not clear that they are making it easy for you and I to manage our data and in particular, to control access to it by third parties. For instance, if you go onto a certain social networking site, it is relatively straightforward to use ‘privacy settings’ in order to limit access to your personal data by individuals outside your circle of friends, but try finding similar settings for third-party companies! Indeed, a number of social networking sites have already received lawsuits relating to GDPR, in particular about the ‘all or nothing’ nature of the consent agreements.
For the average company the real practical implications of GDPR are only just starting to emerge. It is likely that the results of high profile lawsuits as well as judgments by the ICO will start to determine some of the de facto practices. Companies will almost certainly need to adjust their processes and procedures as these implications become clear. That said, there are particular areas that companies should already be thinking about:
- Use of the data and consents
- Cross border data transfer
- Portability of data
- Data security
- Subject access requests
- Erasure – ‘right to be forgotten’
- Sensitive data
There is a danger that companies ‘tweak’ existing processes to ‘meet’ these requirements rather than thinking more fundamentally about the implications of each of these for their processes. Ultimately, time and the ICO will tell whether they are fit for purpose.
GD Financial Markets has extensive experience helping firms to get ready for GDPR. If you would like practical guidance including an assessment of your current processes, please contact firstname.lastname@example.org.
Contact the Author
Anthony Fraser is an advisor with GD Financial Markets, working with the partners to develop client solutions. He has extensive experience in financial service operations including technology implementations and regulatory processes. Anthony is a chartered engineer and a member of the Institute of Engineering and Technology. You can contact him at email@example.com.