We all thought that the most dramatic aspect of GDPR enforcement would be fines for data breaches, and that the primary driver for GDPR compliance would be the desire to avoid data breaches. While there have been some spectacular data breaches, accompanied by the prospect of some eye-watering fines, the emerging reality is that Supervisory Authorities are enforcing the whole of the GDPR, not merely those aspects that relate to data breaches.
So far this year, Supervisory Authority decisions have made it clear that:
- Segregation of Duties where a DPO is concerned is non-negotiable; unless, as an organisation, you are large enough to afford employment of your own standalone internal DPO, acquiring services from an outsource supplier is the only practical route forward;
- Article 32 requirements that organisations have in place appropriate Technical and Organizational Measures (TOMs) to ensure that data is really protected are also non-negotiable; boards and customers will have to seek assurance -through regular Article 32 audits – the appropriate TOMs are in place;
- Consent for marketing activity, accompanies by a clear Privacy Notice and properly operating opt-out mechanisms are a must; boards and marketing managers will have to continually check that their marketing activity is within the law.
Of course, and in parallel, the CJEU has invalidated the EU-US Privacy Shield and made the use of Standard Contract Clauses much more difficult for all data exports.
The overall conclusion that I draw from this activity is that organisations need to review the totality of their GDPR compliance activity and, wherever they have let compliance processes lapse because they’ve thought GDPR has ‘been and gone’, now’s the time to get on top of all aspects of compliance, not just those that have triggered recent enforcement activity.
And the GRCI Group – with offices in UK, the EU and the US, and delivery capability that includes GDPR gap analysis, implementation, legal and ongoing compliance (Privacy as a Service) offerings, as well as the broad range of necessary cybersecurity, training and support services – is probably best-placed to help address that myriad of interlinked risk and compliance challenges.