GDPR: One Year On, Lessons Learned
On May 25, 2018, the EU rolled out a new set of data privacy laws under the General Data Protection Regulation, more commonly known as GDPR. The aim of GDPR was to set a standardized level of data protection for individuals across the EU. The negotiations for this new legislation took more than four years, with regulations concerned with how businesses should handle, store and protect consumer data.
Regardless of Brexit, the ICO (Information Commissioner’s Office) and UK government have stated that the UK will still have to comply with GDPR. In fact, any overseas businesses dealing with consumers and other businesses in the EU27 must be GDPR-compliant.
In the lead up to the GDPR deadline, the ICO called for GDPR compliance rather than enforcement, but news headlines focused on the eye-watering fines—enough to scare any business into getting themselves in line with the regulations.
For companies in breach or found to be non-compliant, there are two tiers of administrative discretionary penalties that can be levied:
- €10 million or 2% annual global turnover, whichever is higher; or
- €20 million, or 4% annual global turnover, whichever is higher.
It is important to note that fines are imposed on a case-by-case basis. Now that we’re a year on from GDPR being rolled out, it’s time to look back and reflect on its impact.
What Have We Learned One Year on From GDPR?
GDPR has reshaped the rules of data management and marketing, making the data and email compliance landscape much more complex. From collecting personal data via cookies so that information can be used for marketing purposes to storing personal data, explicit consent must be given by the individual—and sometimes more than once.
Alongside this, individuals will have the right to submit a SAR (Subject Access Report) request to businesses. Under GDPR, employers must respond “without undue delay and in any event within one month of receipt of the request.” This shortened the previous 40-day limit required under the DPA (Data Protection Act).
What’s interesting is that a recent survey had shown that three-quarters of UK organizations failed to address personal data requests within the 40-day period, with some businesses not even responding to consumer and employee requests at all. Alongside this, according to Corporate Counsel, there have been 59,000 data breaches reported in the EU since the introduction GDPR, including 10,600 breaches from the UK.
Despite the warnings presented in the lead up to the introduction of GDPR, there have been a number of data scandals over the past year. The European Data Protection Board, stated that since May 25, 2018, 206,326 data breaches were reported by supervisory authorities in the first nine months of the GDPR being rolled out. Alongside this, authorities in 11 EEA countries issued administrative fines totaling €55,955,871. In 2018 alone, the supervisory authorities in Germany handed out a total of 41 fines.
Uber, November 2018
In November 2018, Uber was fined £385,000 for paying off hackers who had stolen the personal details of 2.7 million UK customers. Uber hadn’t informed its customers about the breach.
Using credential stuffing (injecting usernames and password pairs into sites until they found a match), the hackers accessed Uber’s cloud-based storage system and downloaded names, phone numbers and emails of customers, as well as 82,000 driver records. Following this, Uber paid the attackers a $100,000 ransom so that they would destroy the data, but it took the company more than a year to tell the affected customers and drivers.
Due to the size of the breach, the sensitivity of the data stolen and the length of time it took Uber to notify those who were affected, it was fined £385,000. Alongside this, 174,000 people in the Netherlands were also affected, leading the DPA (Dutch Data Protection Authority) to impose a separate £532,000.
Google, January 2019
In January 2019, French data protection watchdog CNIL fined Google the largest GDPR fine to date: £44 million. This was because Google was found to have violated GDPR in two ways. Its data processing practices were found to be “massive and intrusive,” and it was also found that its data processing wasn’t transparent enough when it comes to creating a Google account through an Android device. CNIL had found that when consumers submit a SARs request from Google, information gets “spread across multiple pages,” making it “not easily accessible for users.”
According to CNIL, when it comes to Google processing data, the purposes of the processing were too vague and generic, meaning users weren’t able to fully understand them. Alongside this, it was found that the consent obtained for ad personalization was not valid.
The Operational Impact of GDPR
It’s expected that “Copycat legislation” will come into force in the next few years in terms of GDPR—for example, Canada, Singapore, the U.S., Australia and Brazil are introducing similar legislation.
In 2017, cyber attacks on organizations cost the UK economy £10 billion, with 7 out of 10 companies falling victim to a cyber attack or breach. According to the Data Security Confidence Index, 58% of organizations collect sensitive data via email. Should the sensitive information sent via an unencrypted email from your business be infiltrated, your business will be found to be in breach of GDPR. With spam attacks, email spoofing and phishing being prominent forms of cybercrime, it’s never been more important for companies to use email software that’s secure and will protect your business. After all, at every single part of its journey, an insecure email is at risk.
CEOs, managers and business directors need to educate themselves and their employees about the importance of cybersecurity and start putting extra precautions in place so that they can create a more GDPR-compliant future.
