One year on, not everyone is impressed with data protection rules. Indeed, a survey reveals that many organisations feel the introduction of the General Data Protection Regulation (GDPR) by the European Union 12 months ago, has led to no significant improvement in their knowledge of how to manage and protect data. That’s a shame, but GDPR is not going away—and we now know the consequences.
Research by ICSA: The Governance Institute reveals that 42% of those polled feel their understanding of data protection has remained the same over the past 12 months, despite the introduction of GDPR.
A total of 39% believe the new rules have “significantly” improved their understanding. That either leaves the regulatory authorities, or the organisations subject to the rules, with big questions to answer.
ICSA found much negativity about GDPR: It has “increased overheads”; become a “huge burden on resources”; and created “much extra work for little extra benefit”. Furthermore, data access requests take up a “disproportionate” amount of time and create “significant compliance burdens with no clear additional benefit to data subjects”.
That said, some of those polled by ICSA found good things to say. GDPR has prompted “much more awareness of data issues”; it has forced the improvement of procedures; databases have been culled; it has promoted a greater understanding of data security; and has given lawyers a greater role in monitoring compliance. As ever, lawyers do well.
According to Peter Swabey, ICSA’s director of policy and research, companies have experienced both upsides and downside to GDPR, but he warns there is more to come.
“While GDPR has concentrated people’s minds on personal data, it a continuing obligation whose burden is yet to be fully felt.” Bad news for those who have seen no benefits.
‘Fundamental privacy rights’
Burden or not, GDPR is already having an impact on those companies who fall foul of data protection rules.
Indeed, in recent weeks the Information Commissioner’s Office (ICO), the UK’s data regulator, has announced its intention to impose huge fines on companies who appear to have got it wrong. Indeed, British Airways (BA) is in the process of appealing an eye-watering fine of £183m, while the hotel group Marriott International faces a fine of £99m—both for GDPR-related issues.
In BA’s case the fine comes after cybercriminals diverted the personal information of half a million customers to a false website where it was harvested.
Information Commissioner Elizabeth Dunham said at the time the fine was announced: “People’s personal data is just that—personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear—when you are entrusted with personal data you must look after it.
“Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”
In Marriott’s case 339 million guest records were “exposed” in a cyber-attack. The records included 30 million from people in the European Economic Area, and seven million UK residents.
In its annual report, the ICO said GDPR’s introduction had been the “biggest moment” of the year and saw “people wake up to the potential of their personal data”. Data protection complaints to the ICO doubled between 2017–18 and 2018–19.
Facing a big GDPR fine is clearly now a significant regulatory and reputational risk. And there is no sign that the EU will relent. In a speech in July, Vera Jourova, the European commissioner for justice, revealed much enthusiasm for GDPR in Brussels, saying that one year after the introduction of GDPR, “data protection finally matters”, with the EU having “entered a digital era on a strong footing” and GDPR promoting data flows “based on high standards”.
SMEs will receive more EU support to understand the requirements of GDPR, but data protection rules around the world will only become tighter.
“Finally, on the international stage GDPR has become a reference point of a modern and high digital standard,” Jourova said. “More and more countries in Asia, Latin America or Africa are adopting new laws or changing their existing ones and are taking the GDPR as a reference point. This is a true example of the EU as a rule maker and a standard setter.”
Like it or not we live and work in a digital age. If companies want to use data to build businesses they will have to come to terms with laws to protect it. Best to find out where the value is in those rules.