May 25, 2018 revolutionised data protection. That was the day the GDPR came into effect. One year on, what have we learned about GDPR, and what do you still need to focus on?
MDR & GDPR: practical tips and tools for health innovatorsRegister for our webinar
May 25, 2018 was a red-letter day for data protection. That was the day that the EU’s flagship legislation, the General Data Protection Regulation, became mandatory. This legislation is one of the strongest pieces of data protection law in the world and is serving as a model for how such legislation can work. One year on, what have we learned about GDPR and what do you still need to focus on?
A data protection revolution
GDPR revolutionised data protection in three ways. Firstly, it gives users new and stronger rights. These include:
- The need for informed consent, which can be withdrawn at any time.
- The right to be forgotten, meaning that if a user requests, you must irretrievably delete their data.
- Data portability, meaning users are allowed to request you transfer their data in a usable form to another provider.
Enabling these rights is far from trivial. Secondly, GDPR breaches are backed up with really significant fines. Companies can be fined up to €20M or 4% of their global turnover from the last financial year. Thirdly, it places an onus on companies to proactively alert users and data protection authorities of any potential data breach.
A few weeks of panic
As a result of the threat of fines, GDPR day caused panic in many companies. Suddenly, they all needed to update their privacy policies, seek informed consent from all their users and put in place plans to purge their contact lists. Amazingly, most companies managed to sort all this out, helped by the fact that list management companies created tools to assist. For most non-technical people, the upshot was a flurry of emails asking to confirm their list memberships, give their consent for data processing, etc. Users definitely began to suffer GDPR fatigue and started to ignore the emails. So, for businesses, the side effect was to suddenly lose a large number of their subscribers and contacts, many of them accidentally.
GDPR fines and cases
One question lots of people had was how actively GDPR would be enforced. Some data protection authorities (DPAs) implied they would give a grace period when they would use enforcement notices rather than fines. However, this didn’t stop people from submitting huge numbers of breach notifications. In a recent news article (dated 22 May), the European Data Protection Board released summary statistics. A total of 281,088 cases have been reported to DLAs. Of these, 51% were individual complaints and 32% related to breach notifications. In the 9 months to February, GDPR fines totalled €55,955,871 (though admittedly, most of that comes from the fine imposed on Google in France).
Compliance is more than organisational measures
Unfortunately, all the panic about privacy policies, consent, etc. was only related to the organisational measures in GDPR. In our experience, many companies overlooked or downplayed the importance of the technical measures. In particular, “special” data (like health data) requires additional technical measures to protect it. So, ask yourself, have you implemented these three simple, but vital steps?
- Pseudonymize your users' data. Straightforward to do and with great results. Find out more here.
- Implement consent tracking. Essential under GDPR. Check out the Consenta.me plugin.
- Encrypt data at the record level. This is the only way to ensure an individual’s data is safe in case of a security breach. You can read more about it here.
Why worry now?
Our belief is that DPAs will soon become much more aggressive with enforcing GDPR technical measures. Indeed, we have already seen some fines specifically related to this. Notably, Centro Hospitalar Barreiro Montijo in Portugal received a 400,000 EUR fine, because large numbers of non-clinical staff had access to sensitive data on their computer system due to an error with user permissions. The DPA dismissed their argument that, since they hadn’t created the system, they were not responsible. You can read more about this and other cases in our blog on GDPR fines.
How can I check if I am compliant?
As we all know, developers tend to put off doing things that are complex to understand or hard to implement. They prefer to procrastinate or ignore the problem. But this is not a good strategy when you are risking fines of 20m Euro or more! This is why we created the Chino.io API. It is simple to implement, cost-effective and can be applied on any technology stack you are using. Even better, we now offer everyone a free technical assessment where our experts review your current compliance in detail, giving instant feedback and a detailed compliance report.