This month we celebrate (not sure if “celebrate” is the right word here) a year since the GDPR through the Data Protection Act 2018 came into effect. In this article we take a quick scan around to see what difference if any, the new regulation has made.
For those of you that missed this event (a survey by Hiscox revealed that 39% don’t know who GDPR affects), the regulation is the biggest change in data protection regulations for 20 years. It provides new rights to consumers, new obligations on those who process personal data, and significantly higher fines of up to €20m of 4% of turnover.
Significant increase in reported data breaches and complaints
The ICO said that it has seen a fourfold increase in the number of reported data breaches (from 3,311 to 14,072) and that complaints from the public had doubled (from 21,000 to 41,054) in the first year of the GDPR. Stephen Eckersley from the UK Information Commissioner’s Office says there many GDPR cases in progress, but that the past year had been mostly focused on legacy investigations. The European Regulators Group concurs and considers the last year to be one of transition as activities under the previous regulations are cleaned up and enforcement actions move to the new powers.
Although enforcement actions in the last year have been for breaches under the 1998 Act, in the last year we have seen some significant fines:
- Facebook was fined £500,000 as it “unfairly processed personal data in breach of the first data protection principle” and “failed to take appropriate technical and organisational measures” to protect personal data;
- Bourne UK Ltd was fined £400,000 for shared personal info of 14m individuals without consent in breach of first data protection principle.
- Uber were fined £385,000 for failing to take “appropriate technical and organisational measures” to protect personal data that enabled cyber attackers to download a large amount of personal data about drivers and customers.
The above fines pale into insignificance given the record €50m fine the French data protection watchdog CNIL levied on Google for failing to provide users with transparent and understandable information on its data use policies. While the Italian regulator also flexed its regulatory muscles in fining Facebook €10m for misleading users over its data practices.
The GDPR has definitely increased public awareness of data privacy and the high-profile cases keep the topic alive, all of which should give each of us an added incentive to comply with the Act.
71% of the UK population have some awareness of the GDPR
Most people in the UK have some awareness of the GDPR according to a March 2019 study conducted by the European Commission. 27,524 people were interviewed across the EU with 1,021 face to face interviews in the UK. 47% of interviewees said the were aware of the GDPR and knew what it was with the highest level of awareness being people being 40 – 54 years old. Over 50% of respondents said they were aware of at least some of their 6 “rights”, on the other hand there was considerable criticism of privacy policies. 75% of respondents said privacy policies were too long but only 19% said they didn’t understand them. The New York Times has just published an analysis of privacy policies of 150 popular websites and apps. Interestingly enough, Google’s privacy policy, for example, became more readable after the introduction of GDPR. However, this was found to be at the expense of brevity, suggesting “an intractable tradeoff between a policy’s readability and length”, wrote NYT.
The publicity around the GDPR and data privacy has worked well to get such a high awareness with many consumers now aware of their rights.
GDPR compliance can deliver tangible benefits
Does all this effort and energy required to comply with the regulation actually deliver benefits to an organisation – apart from simply minimising the risk of a large fine?
According to a Cisco’s 2019 Data Privacy Benchmark study, it does. “GDPR-ready companies are benefiting from their privacy investments beyond compliance in a number of tangible ways. They had shorter sales delays due to customer’s privacy concerns (3.4 weeks vs. 5.4 weeks). They were less likely to have experienced a breach in the last year (74% vs. 89%), and when a breach occurred, fewer data records were impacted (79k vs. 212k records) and system downtime was shorter (6.4 hours vs. 9.4 hours). As a result, the overall costs associated with these breaches were lower; only 37% of GDPR-ready companies had a loss of over $500,000 last year vs. 64% of the least GDPR ready. These results highlight that privacy maturity has become an important competitive advantage for many companies.”
But meeting GDPR compliance requirement does take effort. Respondents were asked to identify the most significant challenges their organizations faced in getting ready for GDPR. The top responses were data security (42%), internal training (39%), evolving regulations (35%), and Privacy by Design requirements (34%).
What do our customers and associates says
We wanted to make this article real, and so asked some of our local customers and business associates for their views and experiences with the GDPR. The regulations have made most of our small business clients examine the way in which they treat personal data – which is a good thing in its own right.
Judith Moule, Director at ETA Consultancy Services and her clients have got to grips with the changes required by the GDPR and are moving forward. “After much hype, fear and scare mongering I have to say one year on and GDPR has not been as frightening and earth shattering as we were anticipating. Our clients have been fantastic, really accommodating of the changes and have taken it all in their stride. We were surprised to see that in the various education sectors very little seemed to have changed, particularly around personal data and questions. We would love to see more of a shift to technology and less paper, not only from the environmental impact but to try to eradicate even more risk of data breaches and personal information going astray. As a business GDPR has made us “LEAN”, we question everything we do and why, how can we minimise any risk. I am hoping this academic year we will see more electronic documents being used and less paper!
George Cooke,Director, Surrey Translation Bureau, has ensured his business took a comprehensive approach to GDPR. “As a responsible business and in the light of publicised data leaks, we support the aims of GDPR to protect the personal information held by all organisations. However, some have considered the requirements of GDPR to be a radical shift away from the traditional ideal of preserving customer and supplier details, plus marketing leads, for as long as practically possible for future use. Now we are considering the reasons for keeping information and how long we really need it, in order to come up with a public privacy policy that we hope makes sense to anyone reading it,and is consistent with the official general principles from the Information Commissioner. To do this we’ve taken into account our operational needs and taken advice from PAAC IT based on their wider experience of different businesses and specific GDPR knowledge. We’ve also exchanged DPAs (Data Processing Agreements) with clients and hope that overall we receive credit for showing that we take the matter seriously.
Generally, I think the GDPR has been a good move to improve the protection and use of personal data, but it has been at quite a cost to small businesses.”
Brenda Roper’s experience (B and D Roper HR) is that many SMEs seem to be trying to dodge the GDPR. “2018 brought us GDPR and we were ready and willing to help our clients get to grips with their new responsibilities. We have been stunned by the silence in respect of GDPR! We very much hope that means all our clients have policies and procedures in place without our help – but we fear that ‘ostrich syndrome’ may be the cause of the silence. We all have the potential to be faced with an expensive complaint from the Office of the Information Commissioner.”
Other countries emulate the GDPR
If your organisations trades internationally you need to keep a watch out for similar regulatory moves. Although there has been much criticism of the GDPR (as there is for any new piece of regulation) it appears that many other countries are adopting aspects of our data protection regulation.
Not surprisingly given their proximity to the EU, Switzerland, Norway, Iceland, and Liechtenstein have aligned their regulations very closely with the GDPR. Whilst India and South Korea are both reviewing their data protection regulations incorporating aspects from the GDPR. Meanwhile new data protection laws in Brazil and California have been influenced by our regulations.
The most common aspect of GDPR attracting interest from other regulators is related to data subject rights, data breaches and accountability requirements.
In conclusion
The GDPR has raised awareness of data protection and privacy across both the general public (the data subjects) and organisations that process their data – which we consider to be a good thing. It has resulted in many organisations reviewing what they do with personal data and doubling down on the minimum data they need – quantity and duration. It takes considerable effort to comply, but that effort can result in tangible benefits through a reduced number of breaches, fewer leaked records and shorter downtime when a breach does occur.
If you like help with GDPR, give us a call on 01428 770 290 or drop us a note.