After months of preparation and hype, on 25th May 2018, the GDPR finally came into force. That means as we rip open our stockings on Christmas morning, a whole seven months will have passed since the landmark legislation was introduced. And while it’s unlikely to get much air time over the Christmas lunch, the end of the year is a natural time to reflect on the impact GDPR has had on businesses so far.
The UK’s Information Commissioner, Elizabeth Denham, famously called the GDPR “evolution, not a revolution.” And despite racing towards the May deadline, it’s now becoming clear that GDPR compliance is a marathon, rather than a sprint.
A recent survey by the International Association of Privacy Professionals (IAPP) found that 56% of businesses believe they’re not yet fully compliant, while 19% believe they never will be. That might sound worrying on the face of it, but the IAPP says that it simply shows that compliance requires ‘continual development’ and is not ‘a tick-box exercise’.
And on a positive note, the IAPP also found that for many businesses, the GDPR actually turned out to be a lot less complicated and confusing in practice than it was on paper - so big sighs of relief all round!
The predicted tidal wave of GDPR fines hasn’t materialised, despite a number of high profile data breaches and privacy scandals this year. Many of these incidents, most notably the Cambridge Analytica / Facebook saga, have escaped punishment simply due to a technicality, in that they actually happened before the legislation came into force, despite being reported afterwards. For example, Cambridge Analytica was hit with a £500,000 fine under the previous Data Protection Act (DPA), but this would no doubt have been much higher if punished under the GDPR.
But the threat is definitely looming, with a number of ongoing cases where it is yet to be seen whether fines will be dished out. In September, the ICO served its first official GDPR enforcement notice to a Canadian company, AggregateIQ, giving the company 30 days to audit its data practices or be hit with a maximum £17m fine. And a number of recent data breach incidents could spark similar action, in particular Marriott, which saw around 500 million personal data records compromised last month, along with British Airways, which reported an attack affecting hundreds of thousands of customers in September.
Interestingly, while it is still early days for GDPR enforcement, activity under the original Data Protection Act (DPA) has seen an uptick this year, giving businesses a taste of what could be to come as the new legislation finds its stride. Some high-profile examples include credit reporting company, Equifax, which was fined £500,000 for a 2017 breach, Uber which was asked to stump up £385,000 for a 2016 breach and BT, which was hit with a £77,000 fine for sending unsolicited emails.
And it’s not just big companies who are in the line of fire, with several thousand companies fined between £35 and £2,900 for failing to pay their data protection fee. While not on the same scale as the previous examples, these penalties show that the ICO is taking its responsibilities seriously - no matter the size of business in question.
Furthermore, despite minimal enforcement so far, the GDPR has in many ways already served a purpose, shining a spotlight of privacy and data collection, and forcing consumers to sit up and take notice. In fact, figures show that businesses have been taken by surprise at the unexpected volume of requests for information coming from members of the public.
In a speech last week last week, Elizabeth Denham said that since GDPR enforcement began, complaints and breach reports have skyrocketed, from 9,000 to 19,000 over a comparable six-month period. In addition, the ICO has received over 8,000 breach reports since May.
"As people become more aware, they expect - they demand - greater safeguards and control,” she said. “The ICO's research tells us that only one in three people in the UK trust organisations to handle their personal data in line with the law. That's better than it was, but it's still not good enough. Businesses that embrace a commitment to strong privacy protection will be the ones to flourish," she said. "Trust in this space is hard won, but easily lost."
Indeed, some companies are using the GDPR in a positive way to boost their reputation for transparency and giving control back to consumers. For example, Apple has just launched a privacy portal where customers can view all the data the company holds on them in one place. No doubt we’ll see more businesses following in their footsteps, as consumers begin to demand this level of openness across the board.
So, while GDPR is still finding its feet, early signs indicate that it is already fulfilling many of its objectives, by encouraging better data practices, and greater awareness of consumer privacy. But it’s important to remember that this year’s GDPR panic was just the beginning, and a wider cultural shift is underway. GDPR compliance is a journey that will continue to evolve over the months and years to come, and businesses must ensure they keep up – or face the consequences.
Food for thought
It only takes 2 minutes to get a quote.