Many organisations are still engaged in the process of updating their policies and procedures to adhere to the new requirements, which begin to apply on 25 May.
Accountability is a central principle of the new regime: clear and organised policies and procedures, regular staff training and methodical record keeping are the foundations of GDPR compliance, and can also strengthen the security and good governance of the organisation as a whole.
Technology can help businesses observe the accountability requirements – the reporting tools, repositories and databases the tools offer can help a business put processes and systems in place and more easily evidence overall compliance.
We are seeing a rising demand for data protection compliance tools, such as software for maintaining records of processing activities, and tools for responding to data subject rights. In particular, with the reduced timescales for responding to subject access requests, and the trend, particularly in employment tribunal cases, for wide-reaching subject access requests to be made, there is a gap in the market for tools to enable a fast and efficient response to such requests.
There are already examples of how technology is being explored as means to facilitate and reduce the burdens of compliance in financial services, including in relation to customer identify verification, regulatory reporting duties, and cybersecurity, with blockchain solutions among those identified as having potential in the 'regtech' market.
The good news for technology companies considering new data protection compliance tools is that a new regulatory sandbox for digital innovations is to be established by the UK's data protection watchdog, the Information Commissioner's Office (ICO).
The ICO said earlier this year that its new sandbox would draw on "the successful sandbox process" that the Financial Conduct Authority (FCA) has developed in the area of fintech. The FCA's regulatory sandbox enables businesses to test their innovations in a light-touch regulatory environment, subject to consumer safeguards being put in place.
The ICO's regulatory sandbox has the potential to help technology providers work with the ICO to develop tools that support compliance across industries. The providers should look out for the ICO's consultation on its plans, expected later this year.
Claire Edwards is a specialist in data protection at Pinsent Masons, the law firm behind Out-Law.com.