Well that birthday was nearly a month ago – and yes, I’m terrible at remembering birthdays…
But the data protection legislation baby has grown quickly and at times flexed its newly-discovered muscles. And it’s going to get bigger and stronger in the coming years.
The whole point of it was to enhance the rights for EU citizens (aka EU data subjects) so that they know who holds their data, what is held and who it is shared with. The new UK Data Protection Act was created from European General Data Protection Regulation (aka GDPR) to ensure that organisations can provide that information to users on request. In the UK this is enforced by The Information Commissioners Office (aka The ICO). All EU member states must have a data protection authority set up to enforce the legislation and they report to the European Data Protection Board (EDPB). Any company operating in the EU must abide with the legislation and also any company anywhere in the world that holds data on EU data subjects must not take it out of the EU and are subject to the legislation.
In the UK the ICO has made a slow and steady start, and in general, breach reports have risen, complaints have risen and fines have risen. Although they have risen, it has been from a low base and despite the doom-laden headlines preceding the UK DPA, most companies have just kept their heads down and done nothing. That’s mainly because getting compliant can be expensive, time consuming and complicated. The ICO says[i] that one in three people have high trust and confidence in companies and organisations storing and using their personal information – which is more or less what we found. Although awareness is higher – evidenced by the 66% increase in contacts with the ICO – this does not correspond with the inertia of companies to actually do something[ii] – most especially with SME’s and small charities. Half do not know who GDPR affects or don’t think consumers have any extra rights. “…the overwhelming majority of small business owners were not aware of the potential fines for breaching GDPR…”. The ICO still says that fines are the last resort but if the volume of cases continues t9o increase
In Europe we have seen a foretaste of what is to come. Frances data protection authority (CNIL) fined Google €50m for a “lack of transparency, inadequate information and lack of valid consent to personalise advertising” this action was on behalf of the whole EU (I think). Based on our own research, we found that the majority of “persons in the street” that we interviewed seemed to think that they were giving their data to Google to do what they pleased, in exchange for use of their services.
Apart from France – the Rest of Europe has also been getting used to enforcing GDPR
- Germany has issued 60 fines including a social media company knuddles.de who were fined €20,000 for a data breachwhich revealed sensitive data from 330,000 users.
- In Austria a company was fined €4,800 because their CCTV monitored a large part of the pavement outside their business without appropriate transparency and notice.
- A Portuguese fospital was fined €400,000 for allowing too many employees to access patient records.
We are yet to see a fine levied on Starwood (Marriott International) who suffered a long-term data breach that exposed 500 million guest records including email addresses, passport details and other personal data. We might be seeing a €1bn fine here.
Outside Europe, Facebook has yet to be fined as a result of by the US Federal Trade Commission (FTC)for the Cambridge Analytica scandal in 2016. And while the US is debating the adoption of GDPR-lite, Japan, Brasil and India are also pressing on with their own legislation.
So what happens next? Further legislation is already in the pipeline too, such as EU ePrivacy Regulation (ePR) which will strengthen (and potentially replace) GDPR in 2019. That means there may yet be a Godzilla vs King Kong-type battle between GDPR and Big Data as AI, 5G and the Internet of Things for part of the data privacy jigsaw. Although, I think I already know who would win.
© Gareth Gadd, Compliance Compendium Limited 2019
[i] The Information Commissioners Office “GDPR one year on”
[ii] Institute of Directors “GDPR:One year on” – further quoting the Hiscox survey on GDPR