We welcomed over forty Privacy, Risk and Compliance professionals at the City of London Club on 1st December for a breakfast and networking seminar titled UK Data Protection Update: Taking Stock & Navigating the Road Ahead. The event was run under the Chatham rule.
Background and keynote
The introduction of the General Data Protection Regulation in 2018 marked a dramatic change in data protection legislation, paving the way for a growing global regulatory landscape. With further developments and proposed UK data protection reforms on the horizon, it was an excellent opportunity to review the pain points, lessons learnt from GDPR, and the benefit
|
|
|
The keynote speaker was Glen Hymers, Head of Data Privacy & Compliance and Information Assurance at the UK Government Cabinet Office. He was joined in the panel discussion by: – Catherine Bowen-Walker (Group Data Protection Officer at Vitality) |
Panel Discussions
|
The interactive panel discussions were chaired by Lindsey Domingo (Senior Director and Regulatory Compliance Lead at Xcina Consulting) and covered the following topics: How to ensure a harmonised approach for international firms operating in the UK At least in its original version, the proposed DP reform may involve some departure from the GDPR. We spoke about the importance of maintaining adequacy. We also discussed some design principles and criteria international firms could consider applying when implementing a common framework whilst allowing for local flexibility. |
 |
GDPR pain points and challenges
GDPR came into force in 2018, and many organisations did what they felt was required to get over the line by the 25th of May. However, four and a half years later, we’re finding that many organisations still fail to comply with several requirements.
The panellists were asked to share their experience of the most common GDPR pitfalls, obstacles and challenges. Those were numerous and related to the following:
- Education
- ROPAs
- The regulatory complaints process
- Data retention
- Consent
- Third parties
- Data transfers
- New technologies
- Limited privacy resources
Lessons learnt since the implementation of GDPR
The panel was asked to discuss the lessons learnt since the implementation of GDPR, taking into consideration data breaches, enforcement action, and any other relevant examples they could comment on, whether based on direct experience or publicised cases.
These lessons can be summarised under the following themes:
- The importance for organisations to be able to show their workings (e.g. ROPA, DPIA and training) in line with the Accountability principle
- The ROPA is the fundamental cornerstone without which organisations can’t have an informed view of data protection compliance
- Privacy by design and data minimisation
- Upfront engagement with key stakeholders within the organisation
- Capitalising on issues such as data breaches
- Dealing with the regulator
- The data retention challenge
- How the term ‘breach’ is often misunderstood and overused
- How PECR should not be overlooked, given that many recent enforcement cases and fines related notably to marketing and the use of Cookies.
Polling question
 |
We conducted a brief poll of the participants in the room to find out how many people were confident that their organisation complies with all applicable Privacy requirements, including the Data Protection Act 2018 & UK GDPR and the Privacy and Electronic Communications Regulation (PECR). The majority were not in a confident or comfortable position. We emphasised that whilst absolute compliance was unrealistic, organisations needed to achieve a defensible position. |
Data protection and consumer trust
The most obvious downside for organisations that do not comply with privacy obligations would be potential breaches, enforcement action including fines, and reputational damage. The panel discussed the upside, in other words, the added value for those organisations which comply with the requirements. Privacy compliance and transparency can be positive competitive differentiators and help achieve higher consumer trust and loyalty.
Questions from the audience
Further discussions touched on the following aspects:
- The growing use of ad tech
- BYOD and acceptable use
- Third-party due diligence
- Data transfer agreements, including negotiating with prominent industry players
- The structure and composition of data protection teams
Concluding remarks
Xcina Consulting has been assisting clients in achieving a defensible position with regard to their compliance with data protection requirements, including PECR. Feel free to contact us for a free consultation and to understand how we have helped organisations like yours.
| To participate in our future discussions, stay up to date as we announce new dates and address wider topics by emailing us at info@xcinaconsulting.com, or join our guest list for future events. | Join the guest list |
|
|
If you missed our last event or any of our earlier ones in the Regulatory Compliance or Information Security series, further details of the discussions are shared at the pages below: |
|
||||
|
|
Operational Resilience, Outsourcing and Third-Party Risk Management >> Thursday 20 October, 2022
|
Compliance Challenges amidst Regulatory Changes >> Thursday 22 September, 2022
|
|
|
||
|
|
War and Ransomware – More Thursday 25 August, 2022
|
Thursday 9 June, 2022
|
