Have companies done enough to comply with GDPR?

Richard Wheaton (1)You visit a newspaper website. A window pops-up. You agree to share your data with every adtech partner present on the publisher’s website. Your permission now sits in a “consent string”. All of the listed adtech partners have access to that consent string for targeting messages to you in the future. Unless you return, find your profile and change your opt-in.
What have you done? Do you feel like you are now in control of your data? Have these opt-ins improved your connections with brands? Are they talking to you in the formats, channels and times that suit you?
Your answer to these questions will be, most likely, no. Even the most technically literate among us will be asking: “But how would I even do that?” The less technical will be saying, “I gave up even wondering about how to do that years ago.” And a few will be saying, “No, they are ‘talking to me’ in ways that I explicitly asked them not to… I’ve reported the ensuing data infringement to the Information Commissioner’s Office, and I’m awaiting the trial date.”
Frankly, the world of data doesn’t feel much better after 10 months of GDPR. To summarise the state of play in the UK, people now have a heighten awareness of their rights, and companies need to be ready for complaints about their handling of data.
UK Information Commissioner Elizabeth Denham has commented that demands on the ICO team have grown by over 100%, including “more complaints from the public… about subject access, data portability and data security”. The ICO’s own research tells us that only one in three people in the UK trust organisations to handle their data in line with the law. Which are sobering statistics.
In mitigation, the ICO says that GDPR is helping to fuel a greater privacy awareness among Europeans, and a corresponding increase in the accountability for organisations that buy, sell, trade and store Europeans’ personal information.
If it makes you feel better, there are nine countries in Europe with more data breaches per capita than the UK. According to a recent survey by DLA Piper, the Netherlands has the highest number, with 89.8 reported per 100,000 people. Overall, the UK has the third highest total reported breaches, with more than 10,000. Only the Netherlands (15,400) and Germany (12,600) have more.
With more than 59,000 reported breaches across Europe in the first nine months since GDPR was implemented, the first lesson companies have learned is that, more than anything else, they need to know what’s gone wrong, so that they are able to respond to any complaints.
The first measure of good data practice is for companies to have accurate and well-documented processes for capturing and managing the data. And, to be fair, people’s concerns about the failure of companies to comply with the law are well-founded. So far, again according to DLA Piper, only 57% of UK companies have audited their data, a key step to compliance with the new regulation. So the fact that the ICO’s first line of enquiry to a reported breach is all about governance should be a concern to a lot of UK companies.
In Denham’s words “If, within the 72-hour time limit, a UK organisation has no clue as to the who, the what, the how of a breach, then it is clear that they do not have the required accountability data checks and balances in place – as required by law. I believe that data breach reporting drives companies to invest in better security and better data governance. For this reason, I believe breach reporting to be one of the most significant upgrades in the new law”.
The ICO is categorically stating here that the first principle of GDPR compliance is for companies to have the documentation in place, to monitor data storage and understand the risks if any breach takes place. This documentation needs to capture the process by which the company has made a chain of decisions about their cookie management systems and their adherence to the laws about the processing and storage of personally identifiable information.
Data exploitation has been improved by the adtech industry that powers the tools, but companies need to work with a digital expert to implement new practices for data collection and processing that will satisfy the requirements of the law enforcers.
All of the data laws are aimed at a goal that all of us want to achieve – a smoother, less intrusive browsing experience, with greater transparency for users, respect for privacy and faster loading times for websites. Some 10 months on, there is much work that needs to be done by UK companies to comply with the spirit and the letter of these laws.

Richard Wheaton is managing director of 55 London

Print Friendly