GDPR - The Story So Far…

15 August 2018

The General Data Protection Regulations (GDPR) took effect on 25th May 2018 and now the dust and endless privacy notice emails have settled, we ask what has changed and what has happened since ‘G-Day’?

So let’s have a recap; The GDPR is intended to solve security issues that have emerged over the past two decades since the development of cloud technology and its impact on data security. GDPR creates an onus on companies to understand the risks they create for others, and to mitigate those risks.

In short, GDPR…

Is EU legislation that is the legal framework for data protection across Europe including UK
Came into force 25 May 2018 and businesses were accountable from day 1
Will significantly impact the way in which businesses hold, store and use personal data
Is more onerous than the Data Protection Act (DPA) and better reflects today’s world
Requires businesses to demonstrate compliance
Fines are much more significant than under the DPA

Key principles pertaining to the treatment of an individual’s data is:

Processed lawfully, fairly and in a transparent manner
Collected for specified, explicit and legitimate purposes
Relevant and limited to what is necessary
Accurate and up-to-date
Permits identification for no longer than is necessary
Processed securely

Some of the major implications

Data processors and controllers - processors are now required to maintain records of personal data and processing activities and are significantly more liable if responsible for a breach.
Consent - has to be freely given, specific, informed and unambiguous. It now requires “clear affirmative action” and so silence, pre-ticked boxes or inactivity do not count. It must be verifiable and can be withdrawn at any time.
Rights - individuals have the right to be informed of access, to rectification, to be forgotten, to restrict processing, to data portability and to object to automated decisions or where profiling has occurred.
Accountability - organizations must demonstrate compliance and businesses of 250+ people must keep additional records. In addition, certain types of organizations will have to have a Data Processing Officer

Almost every company waited until weeks or days before GDPR went into effect to notify all the individuals whose data they collect and process. This meant we received hundreds of emails from companies whose services we frequently use—and just as many from companies we didn’t even know about!

Were you taken by surprise when you realized how many companies you rarely associate with store your personal information?

Breaches since 25^th May

As May 26th arrived we started to see some of the impact from GDPR. Facebook and Google became to first victims of a massive lawsuit, on the very first day. It was filed by Max Schrems, an Austrian Data Privacy activist, who has been successful in previous years and is a critic of companies who collect and abuse surveillance of personal data on a massive scale.

Both Facebook and Google updated their policies, but Max Schrems claims those do not go far enough to protect the privacy of the millions of EU Citizens they serve. Facebook later received a fine of £500,000 ($664,000) in the UK resulting from the Cambridge Analytica scandal — a penalty that would have been $1.9B if GDPR had been in effect. All eyes will remain on these two companies as they continue to grapple with the restraints of GDPR.

In the first month of the GDPR ‘going-live’ the statistics for the UK and Ireland were as follows: The Information Commissioners' Office of the United Kingdom reported they marked 1126 GDPR cases in the first 26 days of the regulation. The Irish Data Protection Commission received 547 Data Breach Notifications and 386 complaints in the first month of the GDPR. 403 of the data breach notifications and 89 of the complaints are considered under the GDPR. As of yet – possibly due to the time it takes to investigate these cases – there doesn’t appear to be any fines imposed under the new regulations (Information from the ICO website dated 13/08/18).

Those who don’t comply with GDPR risk fines of up to 4% of annual global revenue or 20 million Euros, whichever is greater – something that Dixons Carphone in the UK are going to experience first-hand. Dixons Carphone have become the first business, post-25th May, to have admitted to suffering a huge data breach involving 5.9 million payment cards and 1.2 million personal data records.

Whilst there has been no evidence that any of the cards had been used fraudulently following the breach, it will not be long before Dixons Carphone experience the full wrath of GDPR and, after achieving a global revenue of £10.58 billion, they should be extremely concerned about this.

The fear around GDPR

There was a lot of scaremongering in the run up to the 25^th of May mainly due to misconceptions or in the bid to sell ’off the shelf’ GDPR solutions and comparisons were made between GDPR preparations and those for the Y2K Millennium Bug. In brief - 1999 saw fears that New Year’s Eve would see computers crash; planes to fall out of the sky and nuclear war accidentally start.

However, unlike planning for the Y2K deadline, preparations for GDPR should not have ended on 25^th May 2018- it requires on-going governance. It’s an evolutionary process for organizations – 25 May is the date the legislation took effect but no business stands still. You will be expected to continue to identify and address emerging privacy and security risks in the weeks, months and years beyond May 2018. The ICO has said ‘there will be no ‘grace’ period – there has been two years to prepare and we will be regulating from this date.

Summary

While GDPR has introduced a multitude of challenges for companies when it comes to providing services to EU Citizens and collecting personal information, it has also made those companies examine the data they are collecting and consider security.

So yes, GDPR has made a positive impact, and while it is not perfect it has forced companies to do more to protect the personal data they have been entrusted with.