The GDPR (or the General Data Protection Regulation to give it its full title) is now approaching its first anniversary (25 May, 2019) but what have we learned in its inaugural year? Many organisations panicked in the final few weeks in the lead up to GDPR going live and countless last minute “updated privacy policy” emails were received by customers – often from organisations who felt the need to send them because everyone else was doing it.
The first year of the GDPR should be considered as a transition year. In one regard its major success was revitalising companies interest and enthusiasm for data protection bringing it back to the boardroom table for discussion largely due to the prospect of huge fines for non-compliance. In another regard it could be considered as a failure in that despite it being headline news across Europe many organisations still have not got to grips with its technical complexity and what it means for their organisation.
The Information Commissioner’s Office (the “ICO”), the UK’s supervisory authority, has noted that it has seen a massive increase in reports of data breaches since the GDPR’s inception. The data breaches reported to the ICO range from wrongly addressed letters and emails to major cybersecurity incidents. The ICO will likely regard this as a success as more reported breaches equates to more compliance and ultimately to more understanding.
The hot topic of discussion among businesses in relation to the GDPR remains the fines. What have we learned about how the ICO will penalise GDPR breaches? The ICO have issued just 34 monetary penalties to businesses since the GDPR came into force as at the date of writing. Many of those fines have been to household name businesses. There have also been enforcement notices, undertakings and prosecutions against individuals.
Whilst the number of fines appears to be relatively low the level of fines certainly are not. Bounty (UK) Ltd, a pregnancy and parenting support club, was recently fined £400,000 for sharing personal data unlawfully. A fine of this magnitude would be enough to put many operations out of business. Bounty contravened the first data protection principle and came to the attention of the ICO during one if its general investigations into non-compliant practices of the data brokerage industry where Bounty were identified as a significant supplier of personal data to third parties for direct marketing purposes.
It was held that Bounty had not been transparent to its members about the potential disclosure of their personal data to third parties. I expect the number and level of fines to increase over the coming years as the ‘transition’ status wears off and the ICO increases efficiency in its processes and also its man power.
One year on what remains clear is that organisations must take data protection seriously and carry out all necessary steps to achieve and maintain compliance. Organisations should start by carrying out a data audit of all personal data coming in, held and/or processed by and leaving the business. It is only once such an exercise has been completed that a business can identify where and what their processes and procedures need to address in order to minimise breaches.
If like many businesses you felt rushed into GDPR preparations to meet the 25 May 2018 deadline, now is a good time to take stock and revisit your compliance regime.
Stephen Grant is an Associate solicitor in the Corporate and Commercial team of Wright, Johnston & Mackenzie LLP specialising in data protection law.
Wright, Johnston & Mackenzie LLP is a full-service, independent Scottish law firm, with a history stretching back 165 years, operating from offices in Glasgow, Edinburgh, Inverness, Dunblane and Dunfermline. Further information on WJM can be found at wjm.co.uk. Wright, Johnston & Mackenzie LLP is authorised and regulated by the Financial Conduct Authority. FCA reference number 231170.