GDPR for the Public
After a year of GDPR, people have become more aware of the importance of their personal data and the rights that they have. In particular, there is greater awareness of the role that the regulator has to play in situations where a person’s rights are not respected.
Research conducted during July 2018 found that one-third of people have strong trust in the organizations and companies that they give their data to. This is a significant improvement from 2017, when just over one in five people felt that way about companies that held their data.
In March 2018, the ICO surveyed DPOs, and found that almost two-thirds had seen an increase in the number of customers that exercised their information rights after the GDPR came into effect. The increase in awareness comes partly from the ICO’s own Your Data Matters advertising campaign, which aimed to increase consumer awareness of the rights that people have under GDPR, as well as educating people in how to exercise those rights. The campaign led to more than 2.5 million people accessing the ICO website, and has encouraged people to exercise their information rights, either directly through public-facing services, or by making use of the tools that are offered via third parties.
There have been many investigations highlighting the challenges of accessing personal information, and making users aware of the ways in which their data is being used by third parties, both the people that they willingly gave their information to and the other businesses that those companies are working with. Prior to GDPR working this out was often opaque and difficult.
Working with DPOs
The push towards GDPR encouraged organisations to make a number of changes to ensure that they were collecting, storing and handling the data using a sound legal framework so that it was refreshed only with consent and handled in the correct way. The new regime has helped to support users, businesses and organisations and cleared up a lot of the confusion that comes from the way that data is processed. The ICO helpline, live chat and advice services have seen more than 470,000 contacts over the year 2018-19, which marks a 66% increase on the year before. When it comes to bigger organisations, there has been a significant burden placed upon the Data Protection Officer, who is faced with the challenges of normalising the new regulations and getting people used to working within the correct framework.
The ICO surveyed DPOs when they conducted the DPPC 2019, and found that most DPOs were happy with the support that they got from the organisation. Culture was one of the main issues that cropped up in terms of implementing the GDPR, but most DPOs were satisfied with the support that they got from their superiors. More than 90% of those in DPO positions said that they had some form of an accountability framework in place, and 61% said that the framework was something that was well understood by people in their organisations. Two-thirds reported that the framework was clearly communicated. This means that there was good progress made across the board, although it will still take some time to completely embed the concept of GDPR best practices into all organisations. Many companies find it easier to employ an outsourced Data Protection Officer.
SMEs have their own challenges and it has not been easy for SMEs to change the way they work to become more GDPR compliant. This is something that the ICO acknowledges. The legal bases for auditing, privacy and data processing are things that it will take time to understand, and there are not really any quick fixes that smaller companies can use. Sole traders, in particular, find GDPR much harder to work with. To help this important part of the economy to understand GDPR, the ICO has created a set of resources, including checklists and FAQs as well as simple, jargon-free guidance that will help people to improve their understanding of the legislation and the requirements that they are faced with. The hope is that over the next couple of years they will be able to adapt.