Reflections on the General Data Protection Regulation, two years on.
The implementation of the GDPR was marked in the history books as the harmonisation of Union law to protect data subjects’ rights, but nearly two years on from the regulations implementation date, it’s clear that the GDPR did little more than a simple visage for data subjects’ rights. The ICO has erred in its implementation and consultants may ignore the importance of data subject rights due to the fact the ICO is not enforcing data breaches of small-medium enterprises. The question then becomes, why be compliant with the rules when the regulator won’t enforce them?
The role of the ICO
The role of the ICO is hallmarked in recent news of protecting data subjects from the potential intrusiveness of artificial intelligence and automated decision making; although this practice is of great importance to data subjects in order to avoid biased and stereotyped decisions the ICO lacks a vision of data protection which extends beyond the confines of simply intrusive data processing.
It cannot be blamed on the ICO for lacking a vision of data protection, it is simply the tools they have been provided are not fit for purpose. Nor the GDPR or the funding the ICO has received allows them to actively protect data subjects’ fundamental rights beyond the confines of serious data breaches, usually involving criminal matters, where the latter matter takes precedence, forcing the GDPR to be used to achieve feint justice.
It cannot be understated that the ICO have levied some large fines against firms in recent months which indicates their willingness to begin focusing on deterrence of larger firms for data breaches, but how does a large breach affect the enforcement of small-medium enterprises? The ICO is not resourced enough to put in place enforcement actions against these enterprises, the ICO doesn’t see any revenue from the fining of companies and cannot easily defend claims which arise out of their fines, this has left the ICO in a vacuum of risk where they have to pick and choose what actions they take, rather than truly uphold data subject rights. However, the ICO is demonstrating this recent vigour to prosecute, it indicates their readiness to start taking enforcement of the rules seriously, and not just the breaches concerning large data sets; small to medium enterprises are increasingly being placed in the regulatory crosshairs.
The role of the consultant
Due to the GDPR’s and ICO’s limited enforcement action into things which are not intrusive data subject breaches, some compliance consultants in the industry may take a laissez-faire approach to GDPR compliance. Data subjects could suffer because consultants could be unwilling, or unprepared to aid small to medium enterprises with data protection compliance. Why enforce something the ICO won’t?
There needs to be a reimagining of the role of the compliance consultant in terms of GDPR compliance. The ICO’s, albeit slow, increasing willingness to fine the larger companies should scare consultants into acting in the best interests of their clients – getting them GDPR compliant before these enterprises are in the targeting line for ICO enforcement action.
How Scott Robert can help
Scott Robert has produced and implemented numerous GDPR projects from hospices to medium-sized enterprises, at our core is compliance, balancing risk and producing effective outcomes for our clients whilst ensuring the security and integrity of data subjects rights.