In the lead up to 25 May 2018, we saw a flurry of activity as businesses rallied to become GDPR compliant. This was mainly through fear of the increased fines which the Information Commissioner’s Office (ICO) can now levy (the higher of €20,000,000 or 4% of global turnover). But how many of these businesses are continuing to monitor and update their GDPR compliance six months on?
The first fines have now been levied under GDPR, but in the UK so far these only relate to non-payment of the data protection fee. The outcome of any investigation is yet to be seen by the ICO for post-GDPR breaches, despite the sharp upturn in complaints after 25 May 2018. In the weeks following the implementation, there were around 500 breaches reported per week, a huge increase on previous levels, but we are now seeing these figures start to level out. With an increased awareness of rights under GDPR, many individuals also made and continue to make complaints directly to the ICO. In many instances, matters have been “over reported”, relating to issues which the ICO did not deem reportable in the end. In fact, over a third of those initial 500 per week breach reports were deemed by the ICO to be unnecessary or failed to meet the threshold for a reportable data incident. Whilst the initial eagerness seems to have subsided and the number of complaints from the public has fallen a little, it’s unlikely that this reflects organisations’ full compliance with GDPR or the non-existence of data breaches and may simply be due to data protection fatigue.
Many organisations are taking proactive steps to prepare for data breaches and this excercise is allowing them to put breach taskforces in place that can plan for and adequately deal with breaches. This seems to be the next step following the initial work that was carried out by organisations to become GDPR compliant before it came into effect. This also further reinforces the idea that compliance is a not a static process, but one which continually evolves with the business.
What remains to be seen is when the 27% of UK businesses that claim they have not undertaken any work on GDPR compliance will start taking steps. Given the amount of time that has elapsed since the introduction of GDPR, the ICO is unlikely to be forgiving of a failure to prepare for GDPR if faced with a reported data breach going forward.
There have been several well publicised fines under GDPR elsewhere in Europe that reflect the emerging European commitment to the safety, proper use and transfer of personal data. Recently, the French data regulator CNIL issued a fine of €50,000,000 against Google for, “lack of transparency, inadequate information and lack of valid consent regarding ads personalisation.” Clearly, regulators mean business when investigating reported breaches and this figure shows that regulators are willing to consider a percentage of global turnover when calculating fines.
We are also witnessing wider global law changes whereby the GDPR ‘gold standard’ for data protection is being reflected to a large extent within other global jurisdictions. With an increased number of jurisdictions working towards this ‘gold standard’, this will hopefully bring a greater consistency of approach across different jurisdictions. This will assist when looking at international transfers of data, in particular whether such transfers are considered adequate by GDPR standards.
By Sarah Briscall, Commercial Solicitor at Shulmans LLP