The 25th May 2018 saw the GDPR become enforced in law. But what exactly changed and where are we now? The flurry of emails demanding your consent to this that and the other have now ended thankfully. Businesses have now realised that consent is not the only way to communicate with clients and prospects. So, GDPR – 3 Years and counting for GDPR.,What has the regulation actually achieved and what is next?
Three Years Ago
As I recall, email about consenting to communications, newsletters and all sorts of other things I never knew I was subscribed to in the first place began to fill my inbox. At first, I made a decision about what I wanted and what I didn’t . It became more like an onslaught so I elected to delete the email. I believed that my lack of response would be enough to stop any further communication. My belief was in fact correct as my consent hadn’t been given by an affirmative action. However, the senders of the emails lack of understanding of the GDPR meant the messages kept coming.
I have worked with GDPR long before it came into force and with the Data Protection of 1998 before that. Many different people have been given the title of DPO (Data Protection Officer). Most of them did not want it or had the first idea how to go about it. The degree of panic about the GDPR wasn’t helped by the ICO statement of 25th May 2018. They said, “that businesses shouldn’t panic’. Gee, thanks guys, we feel better already! The BBC Breakfast business slot on 25th May trying to explain GDPR and realising they hadn’t a clue either made the situation worse. Panic and confusion reigned and so did resignation as many companies decided to ‘wait and see what happens’.
Many people started to make comparisons with Y2K. For those of you who don’t remember that the world was due to end on New Years Eve when computer year clocks changed from 99 to 00 and the wold would end there and then. It didn’t as the fix was simple one. GDPR to some people felt like the world would end. It didn’t!
Early misconceptions about the GDPR was that consent was the be all and end all of communication. No consent meant no communication with anyone including customers! Clearly this was not the case as fulfilling a contract with a client requires some sort of communication. Early so-called experts advised businesses incorrectly and left businesses behaving in a non-compliant manner and incurring costs that were just not necessary.
The GDPR dust settled throughout 2018 and the needs of business’ data processing became clearer. Many ask me what is good about he GDPR and what is not good. Fake news around the GDPR has not helped with rumours and misinformation distracting business leaders away from the real requirements. many thought they were exempt and without really checking, did nothing whatsoever. The GDPR does address the needs of individuals who have the right to have their data protected and not sold or abused. In the case of the latter, the purpose limitation principle has been excellent though often ignored by many businesses.
There has been much comment about fines. Within the GDPR there are two tiers of fines. Such fines are determined by the type and severity of the infringement. It has been clear that only the most severe data breaches would be subject to the greatest fines. Thus far, this seems to be the case. The GDPR has allowance to levy very large fines but so far, no regulator has done so. According to DLA Piper, as of January 2021 nearly £250 million worth of fines have been imposed throughout Europe, and over 160,000 personal data breaches have been recorded. GDPR – 3 Years and counting will only see this number rise.
DatA Subject Access Requests
An area of the GDPR often abused is the Data Subject Access Request right.. They may be being difficult for the sake of it or trying to use the right instead of open disclosure for legal cases. The disappointment has been the ICO being overly keen to support individuals in this case. Business has the right to refuse a DSAR and the ICO should support this.
Data Breaches and Fines
Recent incidents have exposed that perhaps the GDPR can be unfair to Data Controllers. The data breach at PracticeHub clearly illustrates this. Many dentists, chiropractors and other clinicians used this cloud service to run their businesses. However the loss of this data left all of these businesses needing to pass on the bad news to their clients. This is despite having done nothing wrong and trusting their provider. It seems unfair for clinicians to have to pass the message of the data breach on to their clients. A recent case in the Italian courts found that the data processor was liable and responsible for the breach. The lack of a standard across Europe makes it very difficult for controllers to ensure processors are data secure.
There has been much comment about fines. Within the GDPR there are two tiers of fines. Such fines are determined by the type and severity of the infringement. It has been clear that only the most severe data breaches would be subject to the greatest fines. Thus far, this seems to be the case. The GDPR has allowance to levy very large fines but so far, no regulator has done so. According to DLA Piper, as of January 2021 nearly £250 million worth of fines have been imposed throughout Europe, and a total of 160,921 personal data breaches have been recorded.
Here are the top five breaches. Google, H&M, TIM Telecom, British Airways and Marriott Group. Two of the were actual data breaches. The other three were not. These were due to poor practice. Therefore you might ask, why were they fined? Regulators are focussing on culture, not just data breaches. However, in all cases it was clear that the businesses concerned were all guilty of poor processes and a non data safe culture.
What does the future hold?
GDPR – 3 years and counting and GDPR will be with us for a long time. The UK Government has made it clear that they want Britain to be a place where companies can transact digital business. GDPR will be a vital component of the strategy. On leaving the European Union, a new law came into force that contains the EU GDPR, the PECR (Privacy and Electronic Communications Regulation (2003)) and the Data Protection Act of 2018. This is now better knowns as the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019.
Regulators are taking external factors into account and adjusting accordingly, namely the pandemic. However, this is only where applicable. What organisations cannot rely on are affected individuals being as forgiving. With group actions and the GDPR allowing individuals to make claims for their data being breached, there is a very real possibility that these will hit organisations harder than regulatory fines.
In 2021 and with the end of the pandemic looming, now is the time for organisations to learn the lessons from others who have fallen foul of the GDPR to date. Therefore, focusing on data protection practices and making compliance a habit goes a long way in avoiding the full ramifications of a data breach.
Happy with your compliance? Why not let us check it for you?
Call us today on 03333 22 1011 or contact us via our web site here.