Written by Lesley Holmes, Data Protection Officer at MHR UK & Ireland
GDPR was the hot topic of 2018, but what now? Nobody seems to be talking about it, but it hasn’t gone anywhere.
As GDPR drew closer, there were rumours of multi-million pound fines and people being sued over broken rules. So did it happen?
In a way, yes.
The Google fines
Straight after the launch of GDPR, one self-styled ‘data freedom activist’, Austrian Max Schrems, sued Google as well as Facebook and its subsidiaries to the tune of almost $4bn.
Three complaints worth $3.9bn dollars were filed against Facebook, WhatsApp and Instagram respectively via data regulators in three different EU countries. As well as this complaint, French data protection authority CNIL filed a separate claim for $3.7bn relating to Google’s Android operating system.
The CNL claim alleged a breach of regulations (rather than data) as Google was accused of not respecting the rights of people to choose how their data is shared when they create an account. CNIL didn’t enforce the penalty, but if Google doesn’t clean up its act, other authorities will be less generous in future.
Despite legal challenges from governments, Schrems made most of the headlines, himself stating that Google was breaking the rules with an ‘all or nothing’ policy which did not allow users to select preferences.
While he was not successful, the case may lead to changes in the way Facebook can use data in Europe.
After Schrems took on Google, more problems were round the corner for the tech giant.
Despite the Irish Government asking Google to improve GDPR compliance, the French Government was quick to take charge when the tech giant failed.
The result: a fine of $57m.
As GDPR-eve was upon us last year, there were rumours that businesses who ignored the warnings would be expected to pay 2-4% of their annual turnover for a major fine. If Google did this, they’d be looking at a fine of $2.5bn to $5.1bn. In comparison, $57m looks like loose change.
What was the first year of GDPR like?
95,000 people have complained so far over potential breaches, but these have rarely meant legal action. It seems people are happy for legislators to do the work for them in most instances.
Despite the complaints, it does seem that companies are acting responsibly when self-governing, as businesses have already reported 41,000 potential breaches as of January 2019.
And that’s just the UK. Across Europe during the same period, 59,430 breaches were reported. Despite most businesses reporting responsibly, at least 91 fines had been issued at the start of 2019, with 60 fines coming from Germany alone. Most of those fines related to 2018, which was described by the French data protection authority (CNIL) as a transitional year ‘intended to allow businesses to understand and implement what the GDPR requires’.
This seems to be something businesses are well aware of. As of May 25th 2018 only half of companies reported as self-compliant, despite two years to prepare for the new legislation. This may be a lack of preparedness, but if it’s complacency, then the future may bring a shock for a lot of people in the form of hefty fines.
What risks will businesses encounter in the future?
If 2018 was a transitional year, there have now been plenty of warnings and the big fines are starting to mount.
The ‘low’ fine given to Google may be an indicator of a transition to much bigger fines.
Organisations can and will be given huge fines by data protection authorities if governments feel they are losing control, or that people have inadequate protection – especially as failing to meet the requirements for technical and organisational security may lead to major hacking, and data controlled by the state being misused as well.
WhatsApp, much lauded for its state-of-the-art encryption, was hacked recently. The circumstances were concerning, as the hackers were able to infect devices by simply dialling the number, even if unanswered, and then erase the call log.
This was resolved quickly in this case and the group (Facebook own it) were very open about what had happened, but mishandling a situation like this is likely to incur the wrath of the EU and the UK.
As well as state-led fines and punishments, individuals like Schrems may decide to sue organisations directly. This is the norm now in the US and many social commentators feel we’re not far behind, suggesting disastrous consequences for negligent businesses.
What’s the bigger picture for GDPR?
Big data is big business and those who hold a lot of data are fast becoming the new oil barons.
This ownership is losing value under GDPR, as it is harder to just harvest and use data freely for maximum profit without receiving a penalty. This should always be the case. GDPR has been brought in exactly for the purpose of reducing irresponsible data use.
While the UK government has more or less implemented a cookie-cutter version of the existing EU legislation, changes will come in the future if it seems the legislation is not right for Britain. But as EU GDPR rules will apply to data we share when trading with EU businesses, it will be important to respect data laws.
What are the main things to consider now?
Here are our top five tips:
1. Did you prepare for GDPR? If you didn’t, it’s not too late to make changes. If you did, can you improve?
2. With many businesses being let off in the initial period, some businesses are becoming complacent – make sure you are not one of them! Have regular reviews of your data.
3. Are you doing the right thing? If someone decides to sue you for a breach or mishandling of data, then you can relax a lot more if you know you did everything within your power to process your data responsibly and compliantly.
4. Make sure you’ve used all the tools at your disposal and take a back to basics approach: Know your data flows, assess your operations, produce a gap analysis, take action and then review.
5. Make sure that you are open and transparent about what you are doing with people’s data and why. A simple privacy notice that is easy to read goes a long way to help understanding and build confidence in your business.