GDPR 12 Months On

This month marks 12 months since Europe’s General Data Protection Regulation came into force. Since the 25 May 2018, numerous high-profile data breaches have highlighted the importance of data protection, for individuals and businesses alike. Looking back at GDPR 12 months on, however, has it had any real impact?

To recap, GDPR forced changes to business’s data practices as they strived to comply with the regulation. Failing to do so risks penalties the maximum of which are the higher of 4% of global turnover or €20m (£17m or ~$22.5m). But 12 months on, confusion still reigns among some businesses. So has there been any progress and what does the regulator have to say on the subject?

We are almost six months into 2019, and there are still stories of data breaches regularly. So far we in the UK haven’t seen any mammoth fines handed out. GDPR is intended to keep personal information safe, but many businesses have been slow to implement technology processes to achieve compliance.

Despite a tangible lack of compliance progress in some areas, it could be argued that the ICO has yet to bare its fangs.

There’s no doubt that GDPR it is now inspiring other regulatory templates in countries such as India, China, Brazil and in states such as California and Washinton. So, in that regard, it looks like the EU has set a new bar global data privacy standards.

My perception formed by conversations with finance, marketing, HR departments and senior business leaders is that companies continue to rely on in-house systems that are not embedded in the IT infrastructure of the business. Many businesses large and small continue to use unencrypted spreadsheets and email to store and distribute sensitive data, which leaves them exposed to a data loss and a data breach.

It’s a good thing that millions of individuals have a better knowledge of their right to privacy and that companies are on the whole aware of their need to protect personal information. I would say that the jury is out as to whether most people understand what they are agreeing to when they agree to the terms and conditions on platforms provided by the likes of Google and Facebook.

Meanwhile, outside the EU, legislation such as California’s Consumer Privacy Act demonstrates that data protection is gaining more attention around the world. It would be unwise to think that the ICO, which to date has adopted more of a carrot as opposed to the stick approach, will not punish those businesses that are not compliant.

Huge fines have not been handed out in the UK yet, but this isn’t a surprise to me when I wrote about GDPR this time last year, I said that the ICO was going to take a pragmatic and softer view during the first year. It always takes time for this type of regulation to bed in but I fully expect the ICO to become much less sympathetic during the latter part of 2019 and as move into 2020.

In the UK, the ICO has served several six-figure fines, but none have yet exceeded the £500,000 maximum penalty that was the maximum under the Data Protection Act 1998. It has, however, served an enforcement notice to AggregateIQ, a Canadian company that supplied software to Cambridge Analytica. This was the first formal information action under the UK’s Data Protection Act 2018; this is the implementation of the GDPR in the UK, importantly this will continue to be in place and enforced after Brexit.

The French equivalent of the UK’s ICO, the CNIL, hasn’t been so guarded though and back in January it fined Google €50m (~£44m), this was the first time that Google had been prosecuted under GDPR.

The CNIL said in a statement following this decision that this conclusion had been reached because Google made it too difficult for users to find essential information, “such as the data-processing purposes, the data storage periods or the categories of personal data used for the ads personalisation”, by splitting them across multiple documents, help pages and settings screens.

In terms of cybersecurity, organisations are notably improving their approach to resilience or at least paying closer attention to how they process personally identifiable information. Far more firms are now waking up to the cyber threat, but there is still more to be done, and some firms need to ensure that they’re not becoming complacent.

Companies like Fifth Step are playing their part helping to improve that landscape, but the proof will be in the eating of the regulatory pudding. I believe that the scene will continue to improve, but we’ll have a better sense of GDPR’s ability to motivate all organisations into action when we know the outcome test cases that are in the pipeline.

AggregateIQ, for example, mentioned previously, has now appealed, and the outcome is yet to be ruled upon. Meanwhile, Facebook is appealing its £500,000 fine and on past form is unlikely to easily accept being restricted by strengthened regulatory oversight of this type.

These appeals will test the power of the regulator and provide our first indication of whether GDPR empowers individuals to protect their personal data.

WayneJolly
Tags: GDPR, Data Protection, General Data Protection Regulation, Regulation