GDPR: One Year On

Introduction  

The GDPR came into force over a year ago on 25th May 2018. You may remember the panic as that date approached. Most notable in the torrent of emails you probably received asking for “permission” to maintain your contact details, a practice that, ironically, the Guardian reported may have been illegal under existing data protection law (namely PECR). But while you may no longer be receiving as many emails, is this all down to GDPR? Aside from that, what else has happened – and was all that panic over a year ago for nothing?  

Public Awareness  

One of the most interesting things about the implementation of the GDPR is that it has significantly increased public awareness of, and interest in, data protection. Since GDPR came into force in May 2018 there has been a sharp rise in overall awareness of the legislation amongst organisations of all size. In the 2018 Cyber Security Breaches Survey, which was published pre-GDPR implementation, only 38% of businesses were aware of the then upcoming law. By the time of the 2019 edition of the Survey, this had risen to 88% of businesses.  

This increased awareness has led to a spike in the number of people contacting the Information Commissioners Office (the regulator) to seek additional information or report complaints.  In their one year review of GDPR, the ICO noted that there had been a 66% increase (over 470,000 in total) in the number of queries they had received from businesses, organisations, and individuals. They also reported a jump in the number of data protection concerns from the public, having received 41,000 in 2018/2019, compared to just 21,000 the year before. 

Despite this broad general awareness, however, there is still work to be done with regards to raising awareness of the specific requirements of the GDPR. For instance, only 46% of businesses are aware that they need to report personal data breaches to the ICO within 72 hours of discovering them. While only six in ten businesses (58%) are aware that organisations can incur fines for cyber security breaches.  

Fines 

That last point, on awareness surrounding fines, may seem a little surprising, as in the run-up to the GDPR’s live date, the lion’s share of the coverage focused on potential penalties. Under the Data Protection Act 1998, the maximum fine that could be levied was £500,000. Under GDPR, the maximum now stands at 4% of global turnover or 20 million euros, whichever is greater.   

Recent months have seen the first significant fines issued under GDPR. In July 2019, both British Airways and Marriott International were served notices of intention to fine for £182m and £99m respectively. At the time of writing, both companies still have time to appeal, but what commentators agree on is that both fines send a clear message – that the introduction of GDPR has ushered in a new regulatory era. Responding to the news regarding BA, Nils Pratley, the Guardian’s financial editor remarked that the GDPR has turned the ICO into “a regulator to be feared”. This view was echoed by the BBC’s technology correspondent Rory Cellan-Jones, who wrote that the size of the fine “will send a shiver down the spine of anyone responsible for cybersecurity at a major corporation”.   

What to do next 

The key thing to remember is that GDPR compliance is not a one-time exercise. Organisations will need to maintain compliance on an ongoing basis. If your business activities change, your data protection obligations may change too.   

At Apomatix, we have an automated solution that will help you quickly and efficiently assess your GDPR compliance risks. You can then use our platform to treat your companies risk based on industry standards.