The European Union’s General Data Protection Regulation (GDPR) replaced the Data Protection Act 1998 (DPA) this May. The length of time an EU organisation has to comply with a Subject Access Request (SAR), or a right to be forgotten request and personal data will never be the same again.
Since May 25th what has really changed? GDPR isn’t a destination, it is a journey. An organisation could have been compliant on May 25th. Now over a month later, are they still compliant? This isn’t the end. We already have heard that the NIS Directive is now in force and the ePrivacy Regulation is on its way. We are still receiving emails from various companies whose mailing lists we possibly have signed up to over the years, seeking approval to send newsletters, announcing changes to privacy policies, the addition of pop-ups to sites, new legal notices, and witnessing barriers springing up from as of yet non-compliers. Some US based sites have blacklisted access by Data Subjects in the EU until they are GDPR compliant.
GDPR has given people more control over how EU organisations collect and use their personal data. On the first day of GDPR coming into effect, big names like Google and Facebook were hit with lawsuits. This has now resulted in possible new penalties of up to 4% of global turnover. Both companies have released policies and functionality to comply with GDPR. However, there are still areas where the collection of consent is still a very all or nothing move by the tech giants.
Information online is a borderless market, from the larger companies to the dark web users. We as Data Subjects, put lots of trust into organisations to use our data for the purpose it was acquired. To keep it safe, secure, and now with GDPR it is creating a trustworthy data protection culture.
Our Continued GDPR Efforts
When we prepared our GDPR Readiness Roadmap, we looked at every piece of personal data we collected and used from our employees, to our customers. For our employees we looked at how our staff awareness programmes could benefit them. Not just with how we as an organisation use their data, but also how other organisations use their data, regardless of their location. We see this as a continuous effort and we will ensure that we will;
- Continue to encourage our staff to be aware of the data they deal with, their own data that we store and the data they provide to other organisations.
- Continue to update our policies with transparency in mind.
- Continue to add functionality needed by our Customers who themselves navigate through their GDPR journey as Data Controllers.
GDPR is a good thing. Organisations like ourselves, who assist our Customers as Data Controllers in their processing activities, protect any personal data that we come into contact with. With VisionBlue (now Aryza) entering new jurisdictions, such as Canada and New Zealand, we welcome the GDPR framework. We are aware of the privacy regulations in other jurisdictions. When required, we will be able to handle any clashes. We are actively monitoring our data privacy policies and storage of personal data in our efforts to continuously optimise our GDPR journey.