It’s been thirteen and a half months since Europe’s businesses went on a ‘we MUST be ready for GDPR’ frenzy, so perhaps now is a good time to take stock and see what’s been happening, see who’s been in trouble, see where the money actually goes and see what more you can do.
Let’s Start With The Stats
As is our standard MO, let’s take a look at the facts and figures.
Businesses and regulators put the hours in to be ready with many increasing staff and resources. According to research from the IAPP (International Association of Privacy Professionals), over 500,000 organisations across Europe now have data protection officers under the new GDPR regulations but what has really happened since May 25th 2018?
- 280,000+ cases received by data protection authorities across 27 EEA states
- 144,000+ individual complaints
- 89,000+ data breach notifications (including a 40% increase, Feb – May 2019)
- 440+ cross-border cases
- €56,000,000+ in fines
GDPR Was Meant To Change Everything, Wasn’t It?
In all it’s fascinating glory, here is the GDPR legislation. It’s 261 pages long and, fact fans, it’s over 20,000 words longer than Shakespeare’s Hamlet.
From a year out, businesses were warned in every advert break, in every unsolicited email from accountants and from endless LinkedIn spam that May 25th 2018 would be the day that everything changes. Analysts suggested it had the power to up-end entire industries and while in theory that was possible, GDPR was never intended to radically overhaul data protection laws.
Matt Burgess in wired.com said that ‘The hysteria around it was misplaced. The principles of GDPR were created from existing data protection laws and only added a limited number of new rights and obligations. Some of the changes were merely updating or enhancing what was already law. The removal of a £10 fee for processing Subject Access Requests was never going to result in a torrent of requests.’
In fact what it did was to highlight just how bad the internet and individual businesses were at handling people’s personal data and as is the media’s propensity for scaremongering showed no let-up, that’s simply what it was – scaremongering. A way to sell papers.
The doom and gloom headline was centred around monetary fines. The maximum fines are 4% of annual global turnover or €20 million (£18 million), whatever is greater. The less sexy information seemingly not worth handing over was that the Information Commissioner’s Office (ICO) has the scope to issue a range of actions including:
- Issuing warnings and reprimands
- Imposing a temporary or permanent ban on data processing
- Ordering the rectification, restriction or erasure of data
- Suspending data transfers to third countries
Concerns about getting hit in the wallet led to more than 1,000 US-based news sites to block users coming from Europe but yet the estimates have been way off the mark.
In 2017, John Leyden writing for tech blog site theregister.co.uk told us that when the GDPR regulation comes into force, fines would be 79 times higher than under the previous legislation. In a practical example, TalkTalk’s 2016 fine of £400,000 for security failings that resulted in hackers accessing customer data would have been £59 million under GDPR.
Pharmacy2U’s 2015 fine of £130,000 for selling customer data to a third party marketing company without consent would have rocketed to £4.4 million. Highly unlikely, on both counts.
Another forecast which made for a great headline suggested that banks would be liable for fines totalling over £4 billion.
Unsurprisingly, so says Matt Burgess, ‘It hasn’t happened. ‘In the UK there hasn’t been a single GDPR fine issued by the Information Commissioner’s Office (ICO) over the last year. Data protection investigations are complex, lengthy affairs that take serious amounts of resource to complete. While the ICO has opened a number of cases looking into complaints there hasn’t yet been a monetary penalty.’
Of course the rules are there for a reason and there is scope for huge fines to be handed out should a company be found in serious breach of the law. So far one of the biggest fines was from the French ICO – the Commission nationale de l’informatique et des libertés, or CNIL who ordered Google to pay €50 million (£44 million) for a ‘lack of transparency, inadequate information and lack of valid consent regarding ads personalisation.’
Where Does The Money Go?
With British Airways and the Marriot Group in for a collective as-near-as-makes-no-difference £300 million in fines (£189 million and £99 million respectively, both subject to appeal), it seems like the ICO is making an example of them. Interestingly, BA’s fine was 1.5% of global turnover. Had the ICO sought to impose the maximum 4% fine, the bill could have been as high as £489 million.
It’s a cautionary tale for other businesses playing hard and fast with the rules and it’s worth noting that both BA and Marriot have said they would put up a vigorous defence in the 28 days they’re allowed in order to make their representations. In addition, the regulator has 16 weeks from issuing the notice of a proposed fine to delivering its final verdict.
On the basis that the fines are paid, they go into the national treasury of the country imposing the fine but with such unprecedented regulatory complexity, there is an option for the ICO to ringfence the income to cover potential litigation costs to defend its decisions.
Calm Down, It’s Just Legislation…
At the end of 2018, the ICO’s Information Commissioner Elizabeth Denham said that unlike the Y2K bug, there shouldn’t be cause to panic. ‘It’s an evolutionary process for organisations – May 25 is the date the legislation took effect but no business stands still. You will be expected to continue to identify and address emerging privacy and security risks in the weeks, months and years beyond May 2018.’
What Can You Do?
A year on, it’s worth taking some time out to audit your current compliance, to figure out where you are on the evolutionary scale and to find out what more you can do.
Here are six things you should consider doing, (both now and moving forward), all from bakermckenzie.com –
- Continue embedding privacy and information security in their general risk assessments, taking into account a heightened enforcement risk over the coming months as a consequence of a more mature regulatory framework
- Prioritise compliance with the core GDPR principles (including accountability, transparency and lawfulness of data processing e.g., notice and consent)
- Watch out for regulatory developments in their country (or countries) including guidelines on specific thematic or industry areas
- Consider participating in sandboxes (where there is appetite to experiment with innovative data usage in a safe regulatory environment) or other initiatives by their competent DPAs
- Make the most of tools and resources which are made available by DPAs to facilitate compliance
- Continue to foster a culture of privacy in the organisation (including emphasis on training, data subject rights and requests, breach reporting, information security, and compliance documentation)
Contact us today on firstname.lastname@example.org or call 020 7078 0789 and we’ll talk cloud security, cutting-edge IT solutions or what’s better, scrambled, fried or poached eggs, or even boiled eggs with soldiers. Whatever you want.