A misconception is brewing with some SMEs that they’re too small to be fined by the ICO for data protection failures, but that’s not the point, it’s their legal obligation to make sure they are compliant, Jonathan Jacob, CEO at Compliance Compendium told RegTech Analyst.
Fear levels about fines reached fever-pitch back when the General Data Protection Regulation (GDPR) became law on the 25thMay 2018. Major worries accumulated around whether companies would manage to cope with the plethora of the then forthcoming changes. One particularly strong concern was for an apparent monthly flood of subject access requests (SAR’s). But this has yet to materialise.
Jonathan Jacob said, “Before the start of the regulation, I think there were many people shouting from the rooftops in similar way to the “year 2000 bug” (Y2K) and even saying that this was the Y2K for data. A data watershed, so to say. I was very adamant that this would not be the case and sceptical about their motives for saying such things. However, it certainly was a date to take seriously because it’s the date that companies needed to start treating data held on individuals with respect. The problem was that many companies saw the 25thMay 2018 as the finish-line, yet it was only the start of the race.”
The most obvious reason about why fear levels subsided was that the large corporations had got their systems ready because they could afford to martial the personnel and sheer volume of capital needed to make sure things were in place. These were the ones in the limelight, as it seemed far more likely that one of these companies would be penalised in the early weeks. The SMEs though were the ones at greatest risk of action from the UK’s Information Commissioner’s Office (ICO). But the ICO themselves had to get to grips with the new legislation and as they are only a small organisation this has taken a bit of time. This was, after all, a serious and substantial change in data laws, so it was not possible to just ‘flip a switch’ and get things working.
A large number of companies and individuals had been misusing or storing data incorrectly for years, Jacob explained. They cannot be expected to simply revert their years of operations that quickly, it’s a long-winded process which starts with just trying to find where data is being held. Once that’s achieved, those companies can embark on rectifying the issues. It’s the same principle whether those companies are multinationals or small local businesses.
“I respect the ICO because, they’re not willy-nilly going out there and just fining everyone. They understand that something like this is important. If they were to mandate it, the difficulty is you’ll find many businesses going out of business because they wouldn’t be able to cope with the costs required to be compliant.”
The fear of impending doom through fines, was clearly enough to set investors alight with backing GDPR solutions. While over $6.2bn has been invested into the RegTech sector between 2014 and 2018, GDPR companies have pulled in more than $750m of this. This makes it the third most funded regulation over this period, falling behind KYC and AML providers which raised $2.1bn and $2.7bn, respectively. The level of capital raised by GDPR developers is even more remarkable by the fact it was only adopted in 2016.
The regulation is vast, and Jacob has seen several companies confused as to where to begin, leaving them at risk of fines. This is where Compliance Compendium aims to help. Working with SMEs, the SaaS-based company can help them understand their regulatory requirements around data privacy, in a cost-effective way. A lot of the smaller companies have faced price barriers for GDPR solutions, but Compliance Compendium has ensured that their prices are affordable so that smaller companies can still reach compliance comfortably.
It provides a holistic compliance platform for data privacy; a lot of other players have focused on one specific part of compliance, which is not cost effective for smaller companies. Compliance Compendium offers solutions that protect across the GDPR landscape; assisting with getting started and then subject access requests, regulatory assessments, breach management, consent management, and readiness accountability assessments. Clients can use the technology to ensure they know what information they are holding, where it is and ensure it can be accessed when needed.
The decline in fear for fines
After the 25th May 2018 and once the dust had settled, the fear levels of companies seemed to drop. There was a lot of talk about numerous companies being slapped with hefty fines of €20m or 4 per cent of annual turnover and wondering who would be the first to face a mega-fine. In part,the hype died down because the ICO outlined, on several occasions, that it wasn’t out to punish companies; its aim is to help them.
“But it’s not like they aren’t fining companies; however, they’re not going to go to the nth degree to bankrupt the business. What they want is for organizations to get on board and get their act together. And I think that’s where the role of the ICO is.” said Jacob.
For GDPR compliance the ICO and other supervisory authorities across Europe, have a selection of circumstances that they must account for, before issuing fines. This includes things like the nature, gravity and duration of infringement, whether the breach was intentional or negligent, if action has been taken to try and minimise risk, among many other factors. These measures have not just eased some of the anxiety but led to various misconceptions around who the ICO will fine.
Jacob said, “There is a lot of disinformation out there as well, which could be leading a lot of businesses down the wrong path, thinking they are not actually required to adhere to the new regulations. So, what happens is they fall foul of it! I think they have a ‘we’re not worried about it’- attitude because they are very small and so ICO wouldn’t possibly come after them. But, that’s a misconception because it’s not about the ICO coming after you, it’s your responsibility, and now a legal obligation to make sure you respect the data of those people that you are collecting on.”
The ICO may have started off by being hesitant with issuing fines, but this going to steadily change over coming months. There is no point fining all companies that don’t meet compliance straight away, as that doesn’t help anyone, especially the market. However, as the years go by the ICO will become stricter and stricter with enforcements. Once companies have had a few years to ensure they are compliant, then the big fines will be happen, as there will be no excuses.
This turning point could be a little closer than expected, well for the larger corporations at least. For example; Google was fined €50m by the French regulator Commision Nationale de l’information et des Liberties (CNIL, which is the French equivalent of the UK’s ICO), due to breaches in GDPR. According to various reports, the search engine giant was penalised for making access to user data too complex and a lack of transparency around essential information such as purposes of data processing, storage periods or what data is used for ad personalisation.