It’s nearly two years since GDPR – or the General Data Protection Regulation – came into force, bringing with it a huge new set of rules that businesses of all sizes are expected to follow in order to keep their sensitive information secure.
While the UK may now have left the EU, the requirements of the law still apply until at least the end of the transition period on December 31st 2020, and as yet there are no signs that the protections will be weakened after this, with the government currently proposing a ‘UK GDPR’ that merges the EU rules with the Data Protection Act and will see very little material change.
However, even if the government does decide to diverge in the future, the rules will still apply to any business that holds the data of any EU citizen. Given the interconnected, international nature of today’s economy, GDPR will still therefore matter to almost every firm. But having operated under its regime since May 2018, companies have had plenty of time to get used to its demands and take a tougher line toward data privacy and security.
So what has the impact been so far and how are businesses’ mindsets changing?
The financial impact
The biggest impact of GDPR has of course been the huge increase in potential fines that regulators are able to hand out. Under the old Data Protection Act, the penalties that the Information Commissioner’s Office (ICO) was able to hand out were capped at £500,000 – significant for smaller firms but not much of a deterrent to the largest enterprises. But under GDPR, that has all changed.
The extent of this was recently revealed in a new report from law firm DLA Piper, which looked at the impact of the regulation across the 28 states of the EU. It found that so far, penalties totalling almost £100 million have been handed out. However, this doesn’t tell the whole story, as it doesn’t include the €329m (£281.3m) in fines announced by the ICO against British Airways and Marriott, which have yet to be finalised.
It was noted by DLA Piper, however, that these two proposed fines have caused particular concern as there seems to be “little apparent correlation between the proposed fine and actual harm caused to individuals”. This suggests regulators are taking a tough line with businesses, who cannot expect leniency on the grounds that any compromised data may not have been actually used by criminals.
Transparency matters as much as breaches
While the ongoing penalties against BA and Marriott are the result of significant data breaches that compromised customer data, DLA Piper noted this is not the only area businesses have to focus on, as many of the largest fines in the early days of the regulation related to failures in complying with principles such as data storage minimisation, fair use and transparency.
Indeed, the biggest single fine confirmed so far was imposed against Google by France for how it handled the data it collected on its users. Therefore, it’s vital for firms that may have initially been paying most attention to Article 32 of the legislation (which focuses on data security) to ensure they are also looking at other aspects of the legislation, with Article 5, which governs the “lawfulness, fairness and transparency” of how firms handle personal data, particularly important.
It’s clear that improved security measures to guard against breaches are just one aspect of GDPR. In order to ensure compliance and protect the business from fines, there must be much wider cultural changes still to come for many firms.