GDPR over a year on…where are we now?
You may recall the lead up to May 2018 when many businesses were filled with panic, urgency to become “GDPR compliant” and uncertainty over what the new data rules would bring. Whilst GDPR-related concerns have calmed down a little now, the uncertainty is still there to a degree and example cases continue to evolve legislative changes.
There would be cause for concern if a company thought they were 100% compliant as that’s quite an impossible achievement given that all companies will tolerate some level of risk. What is reassuring is that most companies are at least working towards better compliance and have GDPR firmly on their radar as an area to improve on. For most, data protection seems to be a work in progress even now, 14 months after the new rules came into force. Organisations shouldn’t become complacent as there are always improvements to be made and there is an ongoing responsibility to review GDPR polices, practices and data assessments.
British Airways – A Milestone Case
One of the most interesting developments will be to see how GDPR is enforced by the ICO (supervisory authority) in practice. We will see more and more examples as time goes on. British Airways have been stung recently by the new regulations and now carry the record for the largest fine issued for data breaches and unfortunately for them, act as an example to all.
Here’s a summary of some of the interesting points and our assessment of the action taken against British Airways:
- Pre-GDPR the largest fine issued was £500,000 to Facebook. However post-GDPR, the British Airways fine was 1.5% of their turnover equating to a staggering £183m. This shows the difference now that the ICO have the ability to impose much higher fines. For smaller businesses, the limit is 20 million euros but the difference in these two fines suggests that lower fines under the old rules could now result in higher fines post-GDPR for similar breaches.
- It is likely that the high fine was based on an assessment by the ICO of the large number of people affected, the type of information being such that could cause huge hardship (payment information) and the wide geographical reach.
- The fine is undeniably high however there is always the potential for individual compensation claims in addition to this via the courts.
- It’s important to ensure that you regularly review the security measures in place in your organisation. Even though British Airways were the victim of a malicious criminal act of third parties, they were still accountable for the data breaches.
- More than 140,000 data protection complaints
- Nearly 90,000 data breaches
- 446 investigations by authorities
- Nearly 65,000 data breaches were reported in the first 9 months by the offending organisations themselves
- Ensure GPDR policies and procedures are up to date.
- Implementation of new projects or systems handling personal data must be GDPR compliant.
- Assess the impact that any change in the way you handle personal data, will affect your ongoing compliance.
- Many companies view GDPR compliance as a one off tick box exercise but businesses should be conscious to keep on top of their data protection measures and continuously strive for improvement.
Key GDPR Statistics
The European Commission have confirmed that since the introduction of GDPR, there have been;
Brexit & the Impact on GDPR
The UK will be subject to GDPR post-Brexit as they have incorporated it into National law via the Data Protection Act 2018. Watch this space as depending on what deal the UK make with the EU, there may be an impact on international data transfers if the UK are not deemed a country of adequacy. Currently, we are unsure where this will leave the UK and international data transfers until more clarity over a Brexit deal is given.
Enforcement Action is Favoured over Fines
Many businesses were concerned last year that they’d be fined 20 million euros for any data breach but this extreme fear couldn’t be more misplaced. The majority of GDPR investigations have resulted in no fines or a “slap on the wrist”. Enforcement actions have been used to give organisation’s a deadline to comply. This seems to be the preferred punishment, where applicable, as fining organisations will make it less likely that they find the resources to improve on their data compliance and rectify the problems. That’s not to say fines won’t be handed out. We’ve seen a lot of example cases where fines have been issued, particularly for unsolicited marketing.
People are More Aware of their Rights
Organisations have seen a spike in various requests under GDPR, particularly subject access requests, however the removal of the £10 fee isn’t the sole reason. GDPR was so widely discussed that individuals without any need to comply became much more aware of their data rights, even when the majority of those data rights existed previously.
Continuing Obligations with Data You’ve Shared
One big mistake organisations have made is only protecting the information they hold. Organisations need to remember that if they are controllers of personal data that they have shared with third parties, they need to have ongoing adequate measures in place to ensure those third parties are compliant with GDPR. The best way to ensure this is to have the appropriate wording in commercial contracts and agreements to ensure these third parties comply with GDPR. It works the same with any information you’ve obtained – make sure it was collected compliantly by the organisation you obtained it from.
After the initial panic, many businesses are realising that they already had some compliance in place. GDPR didn’t spring from nowhere; it evolved from existing data protection laws that organisations should have already been adhering to.
The Obsession with Consent
There is more to the GDPR than consent. Everyone initially thought they needed consent for absolutely everything, completely disregarding that there were 5 other suitable lawful bases to choose from that afforded just as much protection. If anything consent shouldn’t be the “go to” unless necessary because of the ability of data subjects to take back their consent at any time. In reality, GDPR was never only about getting consent which is just a small part of a much bigger project.
Key Action Points for Businesses
Becoming GDPR compliant is an ongoing process and should be reviewed continuously.
If you would like more information on help becoming GDPR compliant please contact our expert GDPR team today for free, no-strings advice.