At long last, GDPR finally arrived on Friday 25th May, delivered within the UK Data Protection Act 2018. It’s a little strange to note that some organisations have communicated that it’s “job done” and that they have met their deadline, at a time when responsible organisations have maintained their focus and are actively transitioning from a preparatory mindset to ensuring compliance with GDPR as a living piece of legislation.
So, what have we learnt over the last week? Within the first hours of GDPR, we witnessed Austrian privacy campaigner Max Schrems and the “noyb.eu” initiative launching four formal complaints under GDPR against four tech giants: Google/Android (filed in France), Facebook (filed in Austria) Facebook-owned WhatsApp (filed in Germany) and Facebook-owned Instagram (filed in Belgium). In each case, it is contested that the bundled consent required to use these on-line services is contrary to Article 7(4) of GDPR. The progress of these complaints is being watched with keen interest to gain an understanding of how the national Supervisory Authorities will conduct their GDPR-related investigations, determine matters of non-compliance and, if appropriate, issue financial penalties.
We’ve also seen the continued arrival of consent-related emails, which has mainly served to highlight those organisations which didn’t quite have everything completed before 25th May. It’s been widely reported that the content of a significant number of these messages did not meet GDPR’s requirements. In some cases, the erroneous use of “cc” instead of “bcc” within their hastily-issued messages will likely be the source of future complaints, as data subjects become more aware of their data privacy rights and start to exercise them.
At UKCloud, we announced that we had completed our GDPR preparations well in advance of 25th May. However, that does not mean we’ve been resting on our laurels, and we continue to review all activities which involve the processing of personal data, either as a data controller (for example, for the management of our own personnel) or as a data processor, acting on the lawful instructions of our customers. We have always ensured that we only process personal data for lawful purposes, we openly provide transparency of our personal data processing activities to data subjects, and we respond and act swiftly and accurately if asked to do so by a data subject or a customer.
And that remains our commitment for the future. We continue to work with our public sector customers and their technology partners to ensure that applicable GDPR requirements are being fully addressed by their selection and use of UKCloud’s secure, assured and UK-sovereign cloud services. These engagements also validate that data protection responsibilities are clearly understood, and assist our customers in being transparent with their data subjects about how and where their personal data is being processed in the cloud.
We’re also putting the final touches to our exciting new GDPR Exchange – a secure, on-line collaborative framework for developing, sharing and benefitting from organisational, procedural and technical best practice for GDPR (and associated information security subjects) within our public sector customer and partner communities. We’d genuinely welcome your involvement, and are sure you will derive real benefit from your participation.
Looking back, preparations for the Y2K “millennium bug” in 2000 focused our minds on being prepared for a single issue at a fixed point in time. Unlike Y2K, GDPR is a journey we’ll all be taking for many years to come, and its requirements, obligations, data subject rights and potential penalties have become important daily considerations for any organisation involved with the processing of personal data in any of its many forms. Not that you need a reminder, but that journey already started a week ago.