GDPR five years on: where are we?

GDPR compliance

It’s hard to believe that it’s been more than five years since we were all hurriedly putting in place the policies and procedures necessary to ensure GDPR compliance. Stories of huge fines terrified us as we pictured a slavering Information Commissioner straining at the leash.

What is GDPR?

The General Data Protection Regulation (GDPR) is the EU’s data privacy and security law –  in their own words, “the toughest privacy and security law in the world.”

UK GDPR

The EU GDPR ceased to affect the UK when the Brexit transition period ended at midnight on 31 December 2020. However, the UK had already enacted the General Data Protection Regulation (DPA), which came into effect on 1 January 2021. And the catchily-titled Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (DPPEC) amended the DPA, merging it with the requirements of the EU GDPR. Thus, we have a UK-specific data protection regime referred to as the ‘UK GDPR’.

Covid 19

An early and unexpected GDPR challenge arrived with lockdown as we struggled to work remotely from home. Check out:

• Home working and data protection
• Ensuring video conferencing is GDPR compliant

Where are we now?

It’s crucial to remember that GDPR compliance is not a one-off box-ticking exercise. Organisations failing to grasp this risk substantial fines. Earlier this year, the UK Information Commissioner’s Office (ICO) fined TikTok £12.7 million for several breaches of UK GDPR, including the unlawful use of children’s personal data. And in the EU, Meta, owner of WhatsApp, Facebook, and Instagram, faced a record fine of €1.2 billion by the Irish data protection regulator.

Of course, these are the headline grabbers, but the ICO’s fines can have a crippling effect on any organisation. Fines are discretionary, with a maximum level of:

• £17.5 million or 4% of annual global turnover – whichever is higher – for infringing any data protection principles or rights of individuals.
• £8.7 million or 2% of annual global turnover – whichever is greater – for infringement of any other provisions.

GDPR policies and procedures must remain under regular review and evolve with your organisation to remain compliant. Take particular care if there are changes to the type of personal data collected and/or how data is used.

If your business merges with or acquires another, creating a group structure, you must consider intra-group transfers of personal data. That includes whether you need a group data-sharing agreement and mechanisms to ensure the legitimacy of any international transfers of personal data.

Common issues requiring attention

Among the common issues requiring attention are:

• References to the EU GDPR as opposed to the UK GDPR.
• Data processing agreements covering international transfers of personal data referring to transfers outside of the EU/EEA instead of the UK.
• Data Processing agreements still referring to the 2010 EU standard contractual clauses for safeguarding personal data transferred outside of the UK to countries without an adequacy decision.
• The content of privacy notices.
• Has your organisation implemented compliant policies and procedures to manage the processing of all personal data?
• Have any compliance obligations and responsibilities changed?
• Ensure that all supporting information and justification is documented correctly and remains valid.
• Ensure employees are carrying out activities in accordance with policies and procedures.

Does your organisation transfer personal data out of the UK?

This is more common than you may think, and if you do, you must assess whether your organisation can transfer personal data from the UK to a country without an adequacy decision, eg the US or India. The Schrems II judgment in 2020 means there is a greater focus on ensuring the protection of personal data in the hands of an overseas recipient than one in the UK.