Regulation
One Year On: A GDPR Snapshot
The EU’s General Data Protection Regulation (GDPR) came into force on 25 May 2018. Steve Thorn, Executive Director, Digital at Civica explores how far the UK has come since, and how organisations can boost their journey towards total compliance
It’s a year since the implementation of the General Data Protection Regulation (GDPR) and the days of sifting through a long list of emails to ‘opt-in’ or update your privacy settings are almost forgotten.
The deluge of privacy policy emails last May showed that every organisation had a hefty amount of work to do when it came to aligning and safeguarding their data.
While lots of progress has been made, what has been achieved since and what positive impact has the regulation had on businesses and individuals themselves?
What technology tools and approaches have successful organisations used to further themselves down the compliance journey? And what does the future look like in a GDPR-compliant world?
Becoming data-aware
According to a recent report, local councils are now receiving 467,000 Freedom of Information requests per year, almost double the estimate produced by University College London’s Constitution Unit back in 2010.
This highlights people’s increasing desire to know about their data and how it’s being used. Now thanks to GDPR, they can and will exercise their right to demand power and control over what personal information is being held in the public sphere.
It seems that citizens now have a growing understanding of the importance of data sharing, as we start to see the benefits such as joined-up health and care records. And although news of cyberattacks, outages and large fines have somewhat dominated the GDPR conversation, what we should be focusing on is how many breaches have actually been prevented by the advent of the new regulation.
Building citizen trust
Citizen trust around data sharing has been no doubt been harmed by recent events such as the 2018 Facebook-Cambridge Analytica issue. Although there are significant advantages for citizens to data sharing, these benefits will only be achieved if organisations work hard to maintain public trust by being transparent in how they use data.
In fact, our UK-wide study looking at trust and data found that more than half of those surveyed (53%) would trust organisations more if they were clear about what personal data they stored and how they use it.
“We’re therefore increasingly seeing organisations embedding GDPR principles into their business operating models.”
Now, with the GDPR framework in place, complete transparency is necessary for businesses adhering to the regulation. We’re therefore increasingly seeing organisations embedding GDPR principles into their business operating models and building an organisation-wide culture of security and transparency through strengthened and disciplined governance structures.
With this becoming the norm, we may even see citizens handing over more trust to organisations to handle their data.
A shifting focus
In recent months, organisations have started to move towards building responsible data sharing practices into business-as-usual operations. As with most regulations, in the first six months of GDPR coming into force, many businesses were playing catch up after years spent capturing large amounts of data.
One year on, we’re seeing more and more organisations sharpening their compliance processes, namely ensuring their workforce is getting refresher training on data security best practices and revising and streamlining processes leading to greater efficiencies, reduced costs of data storage and risks.
There has also been a significant uptake in cloud and automation tools to help facilitate compliance adherence. For example, at Civica we have seen many of the organisations we work with now using semi-automated tools to deal with the case management around subject access requests.
Technology such as master data management solutions will play an important role in proving data has been deleted everywhere in an organisation where it needs to be.
“In the first six months of GDPR coming into force, many businesses were playing catch up after years spent capturing large amounts of data.”
GDPR may have slowed down even well-intended projects with citizen interests at their core as they must now consider the lawful basis of processing and associated requirements around consent and notifications. But there is no doubt that innovation will continue to thrive.
It’s clear that many organisations across the public and private sectors have taken their responsibilities seriously and worked hard to improve processes, harden systems and environments, improve security awareness and increase transparency.
With the right governance structures in place, and the right approach (particularly regarding increased transparency), organisations can move along their compliance journeys while developing new data sharing initiatives to help join up public services for the common good.