GDPR one year on: what next for data protection?
It's hard to believe that we're almost one year on from the biggest shake up of data protection laws for a generation. Much of the publicity – and the panic – surrounding the GDPR's implementation date of 25 May 2018 has thankfully subsided, but for those working in data protection the task of compliance continues to pose new and novel challenges. Our data protection expert Jon Belcher reflects on the past year and considers some of the future challenges for data protection practitioners.
In the run up to May 2018, organisations were busy preparing for the GDPR. Key activities included awareness raising, carrying out data audits, putting together comprehensive records of their processing activities and updating their privacy notices. There was a real focus on understanding the lawful bases for processing, perhaps best seen by the glut of re-consent emails many of us were receiving a year ago (whether or not they were strictly necessary is another matter). And controllers were bombarding their processors with contract variations to meet the new Article 28 requirements. Most controllers, although by no means all, have now made these changes and their focus has moved on. In a way, that was the easy bit.
A year on, the current challenges are subtly different. As awareness of rights continues to grow, organisations are having to grapple with an increase in the number and complexity of individual rights requests, such as subject access and the right to be forgotten. For new projects, it's about carrying out data protection impact assessments and trying to embed privacy by design principles. And the ever present threat of data security breaches, and how best to deal with them, hangs over all organisations. If that wasn't enough, the uncertainty surrounding Brexit and its potential impact on international data transfers is continuing to cause concern. So there's still plenty to keep practitioners busy.
It's been a big year too for the regulator. The Information Commissioner's Office has made plenty of headlines with its high-profile investigations into Facebook and political advertising, but predictions of huge fines have not yet materialised. Instead, practitioners have had to look elsewhere in Europe for enforcement action under the GDPR. The €50 million fine imposed on Google by the French regulator, the CNIL, was certainly the most eye-catching, but there is now an increasing body of decisions from other jurisdictions. It is surely only a matter of time before the ICO follows suit, although this cautious approach is very much in keeping with the ICO's historic practice.
Alongside enforcement, one of the ICO's most important functions is the provision of guidance. There has been a huge amount of work done in this area, with new information regularly added to the ICO's website. But the GDPR and the Data Protection Act 2018 are weighty documents, and there remains considerable frustration that, almost one year on, large areas still lack detailed guidance. The European Data Protection Board has also produced guidance, but again this is patchy. So plenty for the regulators to do, too.
What are we likely to see in the next twelve months? In a sense, it will be more of the same. Practitioners will still be grappling with thorny compliance challenges, data breaches will still hit the headlines and the body of enforcement actions will continue to grow. There's currently no sign of Brexit uncertainty going away, either.
But not everything will stay the same. This is still a very new law, and we are in the very early days of implementation. Court cases, regulatory action and new guidance will inevitably change our understanding of key concepts and alter our thinking about compliance. The limits of new concepts such as 'manifestly unfounded' and 'disproportionate effort' will be tested, revised and tested again, by the regulators and the courts. The much anticipated draft ePrivacy Regulation may finally be agreed, there is renewed political impetus for new rules to regulate social media, and applying data protection law to new technologies will continue to raise difficult questions for practitioners.
All of this means that data protection will remain a dynamic and (dare I say it) exciting area of law for some time to come. We will continue to work to keep our clients up to date with all of these developments over the next twelve months and beyond.