It’s now several months since the GDPR implementation date, and hopefully you’re not finding the work involved too arduous. Your DPO is there to help you navigate the new legislation and to achieve and maintain compliance. Or, if you’re one of the many people who believe that total compliance is impossible, then hopefully your DPO is helping to at least demonstrate that you’re attempting the impossible!
As with any new large piece of legislation, there is a lot of confusion out in the marketplace on how it should be implemented, what certain clauses really mean, and whether or not you are actually compliant. It’s likely to take several high-profile cases of breaching the legislation before we can understand the letter and the spirit of the law and that is going to take some time. The recent Dixons Carphone breach, reported in July 2017, actually occurred before 25 May and so is subject to the DPA 1998 which attracts far smaller fines. The Ticketmaster breach presents an interesting dilemma as it spanned both pieces of legislation and it is unclear which of the two, or if indeed both, will be used to prosecute. That is a knot that will take some time to unpick before the actual prosecution begins so who knows right now how long it will be before we hear the outcome of that particular breach.
At the moment, the Typeform breach appears to be the first major incident that has happened wholly since the introduction of GDPR. Fully understanding the implications and breadth of the breach will take some time after all Typeform is a B2B organisation and we need to understand which of their clients have been affected before we can understand how many of the client’s customers have truly been affected. Once this is understood, will have to wait for the AEDP (Agencia de Protección de Datos, the Spanish DPA) ruling on the matter but at least it is a clear-cut breach of the new legislation and will help to shape future responses to such issues.
The Typeform breach also highlights how important it is not to be complacent about your data protection. Maybe you thought you were safe because you are too small to be of interest to hackers, but even small organisations use services such as SurveyMonkey and may have been affected by this latest breach. As the Data Controller you have an obligation to investigate if you have been affected, and if you find that there is any risk to your customers, you have to report this to the ICO (Information Commissioner’s Office). But your DPO will be all over this, establishing facts and filing any necessary reports so you can get on with the business of running your business.