On May 25th 2018, the EU rolled out a new set of data privacy laws under the General Data Protection Regulation – more commonly known by its acronym of GDPR. The aim of GDPR was to set a standardised level of data protection for individuals across the EU. The negotiations for this new legislation took more than four years, with regulations concerned with how businesses should handle, store and protect consumer data.
Regardless of Brexit, the ICO (Information Commissioner’s Office) and UK Government have stated that the UK will still have to comply with GDPR. In fact, any overseas businesses dealing with consumers and other businesses in the EU27 must be GDPR compliant.
In the lead up to the GDPR deadline, the ICO called for GDPR compliance rather than enforcement, but news headlines focused on the eye-watering fines – enough to scare any business into getting themselves in line for GDPR.
For companies in breach or found to be non-compliant, there are two tiers of administrative discretionary penalties that can be levied:
- €10 million or 2% annual global turnover – whichever is higher; or
- €20 million, or 4% annual global turnover – whichever is higher.
It is important to note that fines are imposed on a case-by-case basis. Now that we’re a year on from GDPR being rolled out, it’s time to look back and reflect on its impact.
What Have We Learnt One Year on From GDPR?
GDPR has reshaped the rules of data management and marketing, making the data and email compliance landscape much more complex. From collecting personal data via cookies so that information can be used for marketing purposes, to storing personal data, explicit consent must be given by the individual, and sometimes more than once.
Alongside this, individuals will have the right to submit a SAR (Subject Access Report) request to businesses. Under GDPR, employers must respond, “without undue delay and in any event within one month of receipt of the request.” This shortened the previous 40 day limit required under the DPA (Data Protection Act).
What’s interesting is that a recent survey had shown that three-quarters of UK organisations failed to address personal data requests within the 40 day period, with some businesses not even responding to consumer and employee requests at all. Alongside this, according to Corporate Counsel, there have been 59,000 data breaches reported in the EU since the introduction GDPR, including 10,600 breaches from the UK.
Data Scandals Since GDPR
Despite the warnings presented in the lead up to the introduction of GDPR, there have been a number of data scandals over the past year. The European Data Protection Board, stated that since May 25th 2018, 206,326 data breaches were reported by supervisory authorities in the first nine months of the GDPR being rolled out.
From this, 94,622 complaint related and 64,684 to do data breach notifications by data controllers. Alongside this, authorities in 11 EEA countries issued administrative fines totalling €55,955,871. In 2018 alone, the supervisory authorities in Germany handed out a total of 41 fines.
Uber – November 2018
In November 2018, Uber were fined £385,000 for paying off hackers who had stolen the personal details of 2.7 million UK customers. Uber hadn’t informed their customers about the breach.
Using “credential stuffing” (injecting usernames and password pairs into sites until they found a match), the hackers had accessed Uber’s cloud-based storage system and downloaded names, phone numbers and emails of customers, as well as 82,000 driver records. Following this, Uber paid the attackers a $100,000 ransom so that they would destroy the data, but it took them more than a year to tell the affected customers and drivers.
Due to the size of the breach, the sensitivity of the data stolen and the length of time it took Uber to notify those who were affected, they were fined £385,000. Alongside this, 174,000 people in the Netherlands were also affected, leading the DPA (Dutch Data Protection Authority) to impose a separate £532,000.
Google – January 2019
In January 2019, French data protection watchdog, CNIL fined Google the largest GDPR fine to date – £44 million. This was because Google were found to violate GDPR in two ways. Their data processing practices were found to be “massive and intrusive”, and it was also found that their data processing wasn’t transparent enough when it comes to creating a Google account through an Android device. CNIL had found that when consumers submit a SARs request from Google, information gets “spread across multiple pages”, making it “not easily accessible for users”.
According to CNIL, when it comes to Google processing data, the purposes of the processing were too vague and generic, meaning users weren’t able to fully understand them. Alongside this, it was found that the consent obtained for ad personalisation was not valid.
The Operational Impact of GDPR
It’s expected that “Copycat legislation” will come into force in the next few years in terms of GDPR regulations – Canada, Singapore, the US, Australia and Brazil are, for example, are introducing similar legislation.
The Right to be Forgotten
Every individual has the right to be ‘forgotten’ by a business – should an individual ask an organisation to delete all the data it holds on them, the company must comply. This means that companies need to be able to find customer data quickly, and when this data is wiped, they need a functionality that will keep a record of deletion, thus proving the SAR request was carried out.
Unencrypted Emails and GDPR
In 2017, cyber attacks on organisations cost the UK economy £10 billion, with seven out of ten companies falling victim to a cyber-attack or breach. According to the Data Security Confidence Index, 58% of organisations collect sensitive data via email. Should the sensitive information sent via an unencrypted email from your business be infiltrated, your business will be found to be in breach of GDPR. With spam attacks, email spoofing and phishing being prominent forms of cyber crime, it’s never been more important for you to use email software that’s secure and will protect your business. After all, at every single part of its journey, an insecure email is at risk.
CEOs, managers and business directors need to educate themselves and their employees about the importance of cyber security, and start putting extra precautions in place, so that they can create a more GDPR compliant future.