As we approach 2018 – and with it GDPR – we wanted to share the foresight of Mike Bradford from Regulatory Strategies Ltd, who has drawn up what he sees from clients as being ‘front of mind’ and what we consider to be the likely trends for next year.

Likely trends and actions in 2018:

There will inevitably be increased GDPR awareness and with it the media picking up on enhanced consumer rights, potentially fuelling a rise in subject access requests (SARs) and requests under the new data portability provisions. Organisations need to be prepared for this.

 

It remains to be seen how tough the ICO and other supervisory authorities (SAs) will be on breaches of the GDPR.  Some early-day examples of non compliance may be set.  Any major breach or GDPR failure will involve more global cooperation between data regulators and the potential for the ‘highest common denominator ‘approach to levels of fines and sanctions.  Individual regulators will not have the same levels of discretion as they do now.

 

With the GDPR requirements around appointing a Data Protection Officer (DPO), this role should – and will – become far more influential across the business and its executive and Board.  Supplier management i.e. relationships, contracts and due diligence checks in respect of data processors will be even more important to get right.

 

We are increasingly seeing data protection compliance moving from being seen (by some) as a necessary evil to not only a form of compliance badge but as a real business differentiator, with organisations promoting their compliance status and using it to attract and win business in an increasingly privacy aware consumer marketplace.

 

One of biggest challenges will be having governance and accountability that is sufficiently robust to meet GDPR requirements but is also sufficiently flexible and dynamic to meet the ever-changing and evolving data world.  At the same time operational aspects of systems must remain compliant and this will be a challenge for organisations with legacy systems.

 

The world of ‘big data’ will continue to evolve – and GDPR compliance is key to how businesses optimise this opportunity.

 

More data breaches will come to light post GDPR as reporting obligations come into effect and focus attention on what previously would have been unreported breaches.  Consumers will become even more aware of the need to protect their data and the ramifications of any breach – legally, reputationally and commercially – will be significant.

 

Both pre and post 25 May, the GDPR will continue to be a compliance and core business challenge.  There is no ‘period of grace’ or transition period.  GDPR compliance is mandatory from 25 May 2018.  We are already seeing clients looking to seize the commercial advantage of GDPR readiness as a key business differentiator and early GDPR compliance i.e. pre 25 May is part of their operational and strategic planning.  Brexit will have no impact on the fundamental requirement to ensure full GDPR compliance by 25 May next year.

 

To round things off, it seems (and actually is) a long time ago now when, following a number of leaked drafts, the European Commission published its proposals for reforming the EU data protection regime on 25^th January 2012.

 

It’s worth revisiting the European Commission’s press release to remember the rationale for our new regulatory landscape. Viviane Reding, Vice President Justice, Fundamental Rights and Citizenship said:

“17 years ago less than 1% of Europeans used the internet. Today, vast amounts of personal data are transferred and exchanged, across continents and around the globe in fractions of seconds.

“The protection of personal data is a fundamental right for all Europeans, but citizens do not always feel in full control of their personal data.

“My proposals will help build trust in online services because people will be better informed about their rights and in more control of their information. The reform will accomplish this while making life easier and less costly for businesses.

“A strong, clear and uniform legal framework at EU level will help to unleash the potential of the Digital Single Market and foster economic growth, innovation and job creation.”

 

After what will be more than six years, in just under 170 days the GDPR – and a new UK Data Protection Act – will be with us.

We can assure all CCTA members that we are front of foot on all of these issues, campaigning and lobbying on your behalf. We will also continue to provide you with the relevant training and support that you need to succeed in the current and future regulatory landscape.