The EU General Data Protection Regulation went live at the end of May 2018, followed closely by the new UK Data Protection Act 2018. Both have had significant implications for organisations handling personal data and for many, the last two years have been a time of making sense of the legislation, understanding what the legislation means for their business and trying to implement improvements where current practices have been found to be lacking.
Many of the organisations we’ve supported, have made huge steps forward in data protection compliance, including improved practices around:
- Ensuring their staff understand their obligations in relation to data protection and IT Security
- Implementing a Privacy by Design approach to effectively managing information risks
- Ensuring they have clear processes in place for dealing with data breaches
- Supporting individual’s rights via clear privacy notices which document how individuals can exercise these rights
- Improved technical security of systems processing personal data
However, there is still work to be done, and even where clear structures are in place for managing risks to personal data, it will be key that these are effectively rolled out and used across your organisation. The ICO’s One Year On update reported their focus for the next year, alongside generally promoting and regulating data protection across the UK will be around their key regulatory areas of:
- Cyber security
- AI, big data and machine learning
- Web and cross-device tracking for marketing purposes
- Children’s privacy
- Use of surveillance and facial recognition technology
As supervisory authorities across Europe start to use their strengthened powers to fine and prosecute organisations and individuals, it will be key for all organisations to remain focused on implementing improvements in all areas of Data Protection and IT Security through 2019-20 and beyond.