Why your business is struggling with GDPR & Data Protection
This blog is based on insight from our 2023 State of Cyber Security report.
This month sees GDPR celebrate its 5th birthday, and during that time it’s stayed more-or-less the same. With unchanging rules and half a decade of time to get data protection things in order, you might think that the need for GDPR consultancy is dwindling. However, as we showed in our 2023 State of Cyber Security report, that’s sadly not the case. Data protection and EU/UK GDPR are as much of a challenge to businesses now as it was half a decade ago. So let’s unravel the mystery and make it easier.
Top 3 GDPR Failures
Let’s look at the top 3 areas businesses struggle with when getting GDPR compliant. Then we’ll break them down to see what we can learn.
Our data revealed that understanding the finer details of consent is the single most common problem. Over all the lawful bases of processing, consent is actually one of the weakest, as it can be withdrawn at any time. Businesses over-relying on consent as its lawful basis shows that there’s a poor understanding of the core principles behind the GDPR. This goes both ways: there’s probably some data processing happening that could be reduced, but also some processing that could be strengthened by not relying on consent.
In the world of GDPR, if it’s not recorded, you may as well not be doing it. I think that’s a sentence to strike fear into the hearts of Data Protection Officers everywhere, but what it actually means is: you need to keep good records. If a subject access request comes in, if you get audited, if you ever want to know if you’re anywhere near GDPR compliance, then you need to keep records. The nature of recordkeeping means keeping things continuously up to date, which in turn means an on-going responsibility. Key amongst the struggles here is maintaining a good Record of Processing Activities, known in the trade as a RoPA.
The solution to this problem is quite straight-forward: just get a data protection officer (DPO) in. It’s not expensive, it’s easy and it generally speaking makes the headache go away. Once the framework for recordkeeping is in-place, it’s easy for a good DPO and trained staff to keep everything up-to-date. And that brings us nicely to our last problem.
Lack of maintenance
Following on from recordkeeping, general GDPR maintenance is the last of our most popular GDPR failures. With the gradual increase in general awareness of GDPR, we increasingly see businesses taking it on themselves to manage data protection in-house. This is a great approach, so long as you have the resources and knowledge to do it properly. Otherwise, all you’re really doing is creating problems. As the saying goes, ‘a little knowledge is a dangerous thing’, and without properly trained and resourced staff, you’re making it more expensive. It’s always easier - and cheaper – to do things right from the off rather than fix mistakes. Not to mention that if it’s not exactly right, you’re not GDPR compliant.
Top 3 DPO activities
Next let’s look at the top 3 things our DPOs do to see what that means for businesses.
Data subject access requests
Number one on our list is helping with Data subject Access Requests – often called DSARs or SARs. This will surely come as no surprise to anyone who’s had to deal with one, as SARs can be extremely resource-intensive, not to mention difficult, for those who haven’t prepped. Desperately getting in a DPO the first time you receive a SAR can help, but to truly take away the pain, you need to prepare for a SAR ahead of time. Ideally as part of GDPR implementation, or if you’re not that organised, as part of your on-going DPO support – but it needs to happen before your first request. And as public awareness of the GPDR increases, so does the volume of SARs.
The next most popular DPO activity is breach support – aka, help when something’s gone wrong. ‘Data breaches’ are often in the headlines thanks to better cyber security scrutiny, but in the data protection world, a data breach could be as simple as writing someone’s details on a post-it note and leaving in on your desk. On the hand, it could be as severe as losing millions of customers’ sensitive data. Generally speaking, most data breaches we deal with are somewhere in-between. Again, this arises from a lack of internal knowledge. Do you need to report this data breach to the ICO? Does it need to be communicated to customers? Do you need to expect legal consequences? Most businesses have no idea, hence the DPO.
DPIAs & risk assessments
This is another one connected to maintenance – are you getting that GDPR is not a ‘one and done’ yet? Unless your business is completely static, you’ll need to do data protection impact assessments (DPIAs) as a part of the ‘data protection by design’ part of the GDPR. ‘Static’ means no new suppliers, no new (or changed) processes, no new software tools, no new products or services, etc. So in real terms, DPIAs and assessing risks to personal data in your organisation has to happen in an on-going basis. Again, the resources and knowledge to do this in-house can be challenging, especially in the current economic climate, when most of your staff are focussing on growth.
The real problem with the GDPR
As we can see, the real sticking points with GDPR and data protection boil down to time and knowledge. When businesses are focussed on, well, business, finding the resource to maintain GDPR in-house is a struggle. Even hiring a data protection officer in-house is expensive. That’s why outsourced data protections officers are so popular – they can take that pain away. But it doesn’t all have to be down to a DPO. My top tip for business is to evangelise and embed ‘GDPR champions’ within your workforce. This can absolutely help maintain data protection and GDPR on a day-to-day basis. The better the general awareness of your workforce, the more likely they are to question dodgy data processing, stopping problems before they start. It also helps out your DPO.
Engaging a DPO also makes business-wide decisions easier, as they can work with your compliance and security teams. For example, making sure your DPO and your vCISO are on the same page can really get things done quickly.
Make maintaining data protection a breeze with a DPO
Get help with DPIAs, RoPAs, SARs, breaches and much more with our experienced data protection officers. A right-sized service fits your need and your budget.Learn more
Trusted cyber security & compliance services from a certified provider
Get a quote today
If you are interested in our services, get a free, no obligation quote today by filling out the form below.