I recommend only attending GDPR events and briefings when you are confident the presenters know what they are talking about.
Events that include presentations from the ODPC can be especially insightful, given they are the regulator in Ireland and the people you will have to answer to when things go wrong.
At a recent presentation by the ODPC at an event run by the Association of Compliance Officers, they discussed the types of mistakes they see companies making every day.
The top 5 reasons for complaints to the ODPC in 2016:
- Not complying with an individual’s access rights (56% of all complaints)
Firms do not have clear procedures and policies for dealing with subject requests – e.g. Requests for information and copies of personal data.
It is likely that more people will be exercising their access rights when GDPR removes the €6.35 administration fee that is currently allowed.
Organisations will receive more requests and GDPR will reduce the time available to respond from 40 days to 1 calendar month.
I’m not the only one who thinks this is going to be a serious problem for organisations in 2018.
- Unauthorised disclosure
Disclosure of an individual’s personal data to an unauthorised 3rd party.
Many issues are currently caused by simple errors: Data sent to the wrong email address; two letters for two people put into one envelope.
- Electronic direct marketing
e.g. Sending emails to people without their consent; spam; unsolicited SMS.
This is a very complex activity to get right and it’s governed by a range of laws and regulations (e.g. PECR / ePrivacy).
It will only become more complex with the arrival of GDPR and the updated ePrivacy regulations.
- Unfair processing
Organisations are using the data they have collected for purposes to which the individuals did not agree.
It all goes back to the basic test: Are you doing something that would surprise or concern a data subject?
- Failure to secure data
Failure to put even basic security measures in place – e.g. unencrypted laptops; lost USB sticks; lack of any staff policy to prohibit taking documents containing personal data out of the office.
If you are going to make mistakes with GDPR compliance, at least try to avoid the mistakes of others. Don’t make the regulator’s job too easy!