GDPR, An Honourable Reminder
- AuthorCatherine Almeida
The introduction of the GDPR 25 May 2018 caused widespread projects and detailed compliance projects for every organisation that processes personal data in EU member states.
The key message at the time was ‘data protection by design and default’ essentially, data protection needed to become a norm and embedded within the organisation on a continuous basis, it should be a key consideration in every decision made.
The embarrassment suffered by the UK Government in recent days will undoubtedly publicise a clear reminder to organisations that data protection is essential and no collective body is exempt from their obligations to the protection of data they process.
The recent data loss caused by the UK Government occurred as part of a regular process– the publishing of the New Year’s honours list. Undoubtedly, the consequences of publishing the addresses of the recipients could result in a high risk to the loss of their rights and freedom as an individual, which will put the government under a duty to notify not only the ICO (as it had done) but also the individuals affected by the breach. Further to the requirement to notify they will also need to take steps to support these individuals in mitigating the consequences of the breach.
It will be interesting to see how the ICO respond to this breach and the final outcome of their investigations. Whilst this case should not be the catalyst of a review of compliance efforts, it should serve to remind organisations of the importance of continuing to demonstrate compliance with the data protection principles laid out in the GDPR and Data Protection Act (2018).
Some suggested steps organisations could now be undertaking are:
- Assess your breach notifications processes and ensure they can cope with a mass loss of data.
- Ensure your staff have been trained about your data protection processes and obligations.
- Undertake a review of your Data Protection Impact Assessment (DPIA) to ensure it is still fit for purpose, if you have yet to undertake this process, it should be a priority.
- Remind and refresh staff of the principles of the GDPR and their individual rights.
- Review your Privacy Policies and Notices (both customer, employee and contractors) to ensure they are still accurate.
- Review your supplier lists and ensure data processor/controller agreements are in place and correct.
For more information on how JCP can help your business contact us on 03333 208644 or email email@example.com.