A year of GDPR – how has it changed the landscape?
Published On: May 31, 2019 |
Last weekend marked the first anniversary of the introduction of the EU’s General Data Protection Regulation (GDPR), one of the biggest overhauls in data privacy and security regulations ever to impact businesses.
Coming into force on May 25th 2018, the rules set out a more stringent environment for how personally identifiable data should be protected from businesses, as well as what responsibilities organisations have in the event of a data breach.
With much tougher rules in place, and with the potential for huge fines should firms fail to live up to its requirements, GDPR marked a significant change for how businesses think about security. But one year into the new regime, how are firms coping, and what impact is it having on businesses’ thinking?
Reports of breaches go through the roof
According to figures from the Information Commissioner’s Office (ICO), the number of data breaches reported in the last 12 months has increased fourfold since the implementation. In the 12 months ending in April 2018, the regulator received 3,311 breach notifications, but in the 12 months since, this climbed to 14,072.
This is a result of GDPR’s more stringent reporting requirements – which mandate that any breaches affecting personal data be disclosed within 72 hours – but it also helps shine a light on many incidents that would have gone unnoticed in previous years. Therefore, GDPR has almost certainly helped highlight the true scale of the risk businesses face, and could prevent complacency for firms.
Large-scale fines yet to materialise
One of the biggest concerns for many businesses in the run-up to GDPR was the threat for highly damaging fines for breaches – up to €20 million or four per cent of global turnover, whichever is higher. For the world’s largest tech firms, this could equate to penalties in the billions of dollars.
So far though, enforcement has yet to really show its teeth. One reason for this is that, given the nature of investigations and the amount of time they typically take, they simply haven’t been completed yet. As the law does not apply retroactively, the ICO can only issue GDPR-level fines for incidents that occurred after the rules came into effect, which is one reason it only issued a comparatively small penalty of £500,000 on Equifax, for example, despite the huge scale of the credit monitoring firm’s 2017 data breach.
Indeed, the ICO has yet to issue any fines under GDPR rules – though this will surely change sooner rather than later. Elsewhere in the EU, some regulators have begun to take action, with a total of €56 million in penalties being issues so far – although the majority of this figure is accounted for by the €50 million penalty imposed by French regulators on Google for the way it used personal data in advertising.
Public awareness reaches new levels
Elsewhere, the rules have also greatly helped boost public awareness of data protection issues, what data companies collect about them, and what they use it for. Part of this will no doubt have been as a result of the deluge of emails people receive in the build up to the implementation asking for consent to continue using data – which was said by some observers to be an unnecessary overreaction by companies that were unsure of the scope of GDPR rules.
Scandals such as those involving Facebook and Cambridge Analytica have further embedded digital privacy risks in the public consciousness, while research by the International Association of Privacy Professionals found there have been more than 144,000 individual complaints raised under GDPR rules.
Therefore, it’s clear that privacy is not an issue that is likely to fall off people’s radar, so firms will have to continue focusing closely on this area in the coming years. And as the first wave of investigations conclude, it will be interesting to see how aggressively regulators such as the ICO use their enforcement powers.
Share This Post, Choose Your Platform!
With over 20 years in the business telecoms industry and an unrivalled reputation of delivering excellent, personal customer service, Arrow is one of very few companies in the UK able to provide a full telecoms, IT and energy consultancy and service proposition.
Savings through automation, scale, improved service. We’ve got that covered. But the true value comes with empathy, through empowerment, collaboration. It’s connecting people that drives us forward. It’s people that make tomorrow happen.
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.