[BreachExchange] Are GDPR standards slipping one year on?

[Destry Winant]

https://securitynewsdesk.com/are-gdpr-standards-slipping-one-year-on/

Over one year ago, on May 25, the new GDPR standards were set, sending
many organisations into a frenzy to ensure they were dealing with
sensitive data in the correct way. Twelve months on, Mark Harper of
HSM asks whether the UK has adapted well to these legislations or
whether standards are slipping.

The 25 May 2019 marked one year since the new GDPR laws were enforced
upon the UK and Europe. These updated legislations were introduced to
give individuals more control over the personal data companies hold
and how they handle it. So, has this changed the way organisations are
operating?

Well, over the past year, it’s safe to say data handling is different.
In fact, there’s almost no doubt that organisations have changed the
way in which they operate, with ‘Data Officer’ becoming a more
proficient job title as GDPR is more commonly understood. It was only
last year that some business owners and their employees would struggle
to tell you what GDPR stood for, let alone what it meant to their
business.

Aside from this, the fact that home and office shredder sales have
increased across the globe in the last year also shows the shift in
attitude towards the new standards and suggests a willingness from
organisations to sharpen up their data handling processes.

Although the education on this subject has evidently improved, GDPR
compliance requires ongoing attention, which brings its own set of
challenges. So, with that in mind, are we in danger of standards
slipping only one year on?

ICO Action

In the last year, the Information Commissioner’s Office (ICO) has been
closely following those who are failing to remain compliant for GDPR.

As we’ve seen, if an organisation fails to handle an individual’s data
correctly, it can be fined.

In the last year alone we’ve seen over 200,000 individual cases
reported. No business is immune either, no matter the stature or the
sector it operates in. Our own National Health Service (NHS) has
suffered investigations and fines across the last 12 months. These
investigations span as far back as May 2018, after a London Medical
Centre left sensitive paper documents containing medical records in an
empty, unsecured building.

Paper documents continue to be an underlying issue for those trying to
follow data protection procedures. A common misunderstanding is that
digital data should take precedent when dealing with GDPR. This isn’t
the case, with paper documentation posing just as much of a threat as
that of digital data. Organisations must continue to update their
physical data destruction methods to ensure they remain compliant and
avoid making the same mistake as the aforementioned NHS Medical
Centre.

Moving forward with GDPR

It’s clear to see why the thought of large fines captured that
attention of so many last year. However, a fear of fines won’t always
carry the same weight as they once did. Data protection has continued
to evolve since the GDPR enforcement date and with the grace period
now well and truly over, companies are now faced with the important
task of up-keeping company-wide standards to continually meet the new
regulations.

The importance of recognising GDPR as a developing project was
reinforced by Information Commissioner Elizabeth Denham in last
month’s annual DPPC, hosted by the ICO. “I believe we’re entering a
new stage in GDPR’s development”, she stated. Denham went on to
explain how companies must understand the risks that they create when
processing data and how this should move us away from the ‘box
ticking’ view that many see GDPR as.

The underlying point that’s consistently made is that companies must
see GDPR as an ongoing operation. It’s never really been enough to
just tick the box. Instead, organisations should inject effective GDPR
processes into their business procedures, with a view of acting
responsibly as opposed to the fear of fines. Yet, this isn’t
necessarily the straight forward task that some believe it to be –
even for those that already have firm data protection systems in
place.

What may have worked for an organisation a year ago may not be as
effective today or five years down the line. This is especially true
for growing or larger organisations that tend to handle a large amount
of data. Take into consideration the sheer number of paper documents
that some UK organisations and their employees are handling alone. A
recent report found that the average company is holding more than half
a million sensitive files, with 17% of those files accessible by every
employee. Whether digital or hard copies, this poses an issue and a
huge number of potential ‘slip-ups’.

Investing in responsibility

For any continual data protection process, investment is key.
Investment in the correct practices and employee education should be a
recurring process to ensure a business is operating as it should be,
all year round.

Referring to the previously mentioned NHS case, a misplaced and
forgotten printout was the cause of an investigation and could have
easily been avoided by implementing the correct procedures associated
with physical data destruction. An organisation’s operations can
change, whether location, staff or everyday procedures – and with
this, effective paper document destruction should be routinely
addressed.

To combat this, regular audits should take place, ensuring all current
procedures are working effectively. Both existing and new employees
should consistently know how to remain compliant and what their role
in data protection is, should that be shredding paper documents at
their desk or collecting small quantities in regular intervals to be
destroyed at a communal office shredder.

So, as many professionals are pointing out, GDPR is still developing
and organisations will need to keep up if they aim to continue acting
responsibly.

Those who manage to change their company culture so that the
responsibility of GDPR lies with the organisation as a whole and not
just individuals are likely to prosper. This, paired with continued
investment in procedures and employees, will help to keep the UK’s
standards from slipping for years to come.