GDPR - one year later

GDPR-audited activities

Few judgments have been made so far - both at a global and domestic level. With regard to international companies, perhaps the big story is that more or less immediately after the introduction of the GDPR, the Swedish Data Protection Authority ordered Google to remove a number of search results containing people's names in contexts that were "incorrect, irrelevant, no longer relevant or redundant". However, several of the results that should have been removed are still there, almost a year after the injunction, which means that in the worst case scenario, Google could face a fine of more than SEK 11 billion.

At a local level, it was revealed as recently as February 2019 that 1177 Vårdguiden had leaked 2.7 million recorded telephone calls made by private individuals from 2013 onwards. Calls containing questions for advice on various health conditions and diseases. As this is patient data, it is considered sensitive personal data that requires special protection. The Swedish Data Protection Authority has now initiated a review of 1177 Vårdguiden.

The hype around GDPR has died down

But what has perhaps been most noticeable is that the hype around GDPR that prevailed a year ago has now subsided. It's probably not that everyone now feels more confident that they have actually done the required work, but that it simply hasn't "affected" very many people. The fact that so few companies have been fined mistakenly creates a feeling that perhaps GDPR is not so strict after all.

Many have "made up" the company on the surface by, for example, establishing a privacy policy, i.e. - what is visible to the outside world. Few companies have really focused on the huge amount of work required to fundamentally change the approach in their daily work and to establish procedures for handling personal data.

What seems to have been missed is that since the introduction of the GDPR, the larger technology companies are constantly developing new services to meet the requirements, making the step towards compliance even smaller.

Why have so many done so little?

The fact that so few have worked in depth with GDPR is mainly due to a lack of knowledge. Perhaps you have received training on the regulation, but how it is relevant at an individual level for employees in their daily work is often unclear. Especially if the right technology and internal processes that support employees in their work with this are not in place.

Many companies also pit their own position against that of others. Smaller companies often assume that if they just work with larger, established companies, they can assume that everything is ok. The truth is that you can't assume anything at all, especially now that many larger companies, who are often less likely to change than smaller ones, have been found to be non-compliant with GDPR. This, combined with the fact that there is no case law yet, means that the easiest thing to do is to do nothing at all. The regulation is there, but you don't know how to interpret it, what to do practically to comply with it, and what the impact will be if something happens.

In the long run, you can benefit from the GDPR

If, like many, you're stuck with GDPR, a good way to move forward is to try to look at it as a business improvement rather than a cost item in the budget. If you use an Office 365 environment, there are ready-made solutions to help you achieve the basic requirements in the easiest way possible. By using these solutions, you can also eliminate redundant or manual processes that can be automated instead, making work much more efficient, cheaper and safer.

Would you like to know more? Do not hesitate to contact us at WeSafe and we will help you!