Monday, 1 July 2019

One Year On from GDPR: What’s Changed?

The General Data Protection Regulation (GDPR) came into effect on May 25, 2018. One year on from the implementation of GDPR, we ask: what’s changed?

The General Data Protection Regulation (GDPR) came into effect on May 25, 2018. At the time it was heralded as a major change in the way individuals and organisations will think about – and collect, manage and secure – data.

GDPR was the “four letters that put the fear into firms’ hearts in 2018” according to the Register’s review of the year’s events. But was that fear justified?

One year on from the implementation of GDPR, we ask: what’s changed?

What’s happened in the year since GDPR came into effect?

Here in the UK, the Information Commissioner’s Office (ICO) is responsible for enforcing GDPR.

It says it received around 40,000 data protection complaints and 14,000 personal data breach reports between May 25, 2018 and May 1, 2019. Of these personal data breaches, 12,000 cases were closed within that time period. And some 17.5 percent of those cases required action.

The increase in complaints does indicate that GDPR has empowered individuals to take greater control over their own data. And members of the public are now more aware of their privacy rights and the way their data is being used – and misused.

Whether this new understanding is a result of GDPR or the slow snowballing of the Cambridge Analytica scandal – or a combination of the two – is, perhaps, open to debate.

European regulators warn they are just warming up

Meanwhile, elsewhere in Europe four nations have made public fines under the new regime. These fines have been the most headline-grabbing aspect of GDPR thus far, so it is perhaps surprising that this figure should be so low.

Germany levied a fine of €20,000 against a chat app, Austria levied a fine of €4,800 for the unlawful use of CCTV, and Portugal’s regulator fined a hospital €400,000 for allowing staff unlawful access to data.

The biggest fine levied so far was the €50 million fine the French regulator CNIL laid on Google for lack of transparency, inadequate information and lack of valid consent regarding the personalisation of ads.

In all, around 65,000 data breaches were reported, and 95,000 complaints were filed.

The increasing clout of European lawmakers

The impact of GDPR isn’t only being felt in Europe. International firms who want to trade in and with Europe have picked up the standards laid down in GDPR as a benchmark for a gold standard in data protection regulation.

Perhaps the best illustration of Europe’s growing clout in this area was the introduction of the California Consumer Privacy Act. Signed into the State’s Civil Code in June 28, 2018, the Act demonstrates how Europe’s standards are being welcomed and adopted by lawmakers in the home of Big Tech.

California’s legislation was the first time the notion of personal data (as set out by the EU) – and the rights of individuals over their own personal data – was recognised on USA statute books.

As Rebecca Hill wrote in The Register, there is “growing public pressure to take action against the digital giants they are slowly realising aren’t run by geeks in jeans but, rather, ruthless business people.”

What can you do to protect your data?

The media and regulator focus on data breaches and their financial penalties has driven information security up the agenda of all businesses, including SMEs. Ensuring you have the right security measures in place, however, isn’t only essential for GDPR compliance – it makes good business sense too.

Over the last year, Grant McGregor has continued to guide SMEs, enterprises and public sector and third-sector organisations through the process of making their data more secure.

At a minimum, these efforts should include:

• Putting in place essential cyber security measures – the Government’s Cyber Security Essentials scheme is a good place to start for this.

• Ensuring all operating systems and software used in the organisation are patched and up to date and running the latest versions.

• Creating an Information Asset Register to help you manage security risk.

• Understanding the cyber security threats for your organisation – including people, technology, process and physical.

Securing mobile devices and implementing an effective mobile device policy.

• Reviewing – and, where necessary, beefing up – your disaster recovery and business continuity plans.

• Training staff to spot common attack vectors, such as phishing attacks, and how to deal with them.

• Employing two-factor authentication, where appropriate.

An unwarranted focus on data breaches?

The continued focus on data breaches as the main aspect of GDPR has drawn criticism from some quarters.

The Federation of Small Businesses (FSB) says: “The implementation of the GDPR and the Data Protection Act 2018 in May 2018 caused great excitement and confusion in the SME community. Disappointingly, it seemed that the media only focussed on the high new fines and the increased powers of the Information Commissioner’s Office, rather than shedding light on the realistic impact for individuals and organisations.”

Internet law expert Heather Burns says the year since the introduction of GDPR has made it clear “which companies have awakened to ‘privacy by design’ as a powerful tool for user empowerment, and are using GDPR as a launchpad for innovation – and which were only ever interested in using GDPR as a marketing angle for PR campaigns that ended on 26th May.”

It's clear that one year on, integrating the “privacy by design” approach to data management into your operations still offers organisations an opportunity to set themselves apart from the competitors, serve the public better, and gain significant competitive advantage.

What’s next?

While it may be difficult for small firms to address all the different aspects of GDPR that go beyond improving data security, information officers, and suchlike,  should take heart: you are not alone. Earlier this year, it emerged that ICO itself is failing to take its own advice.

In order to address the individual’s right to be informed, ICO recommends organisations produce and distribute a GDPR privacy notice for staff, detailing the way the organisation holds and processes their information. In April 2019, ICO confirmed it had still not distributed such a document to its own staff, saying the draft was still under review.

If ICO is still working on all the implications of GDPR, it is fair to say that its implications are still not fully recognised by many organisations in the UK.

If you aren’t sure about your responsibilities under GDPR, Grant McGregor consultants can help. Contact us here.

Developing the GDPR agenda in 2019

The UK Information Commissioner Elizabeth Denham marked the one-year anniversary with a blog post in which she set out her vision for how GDPR will evolve through 2019/20.

She said, “With the initial hard work of preparing for and implementing the GDPR behind us, there are ongoing challenges of operationalising and normalising the new regime. This is true for businesses and organisations of all sizes. A key area of work for my office during 2019/20 will be to support all parts of the UK business community, from the smallest SMEs to the biggest boardrooms, to deliver what is needed. Where the law requires it, I want to see Data Protection Officers (DPOs) embedded and supported in their respective organisations by senior management.

The focus for the second year of the GDPR must be beyond baseline compliance – organisations need to shift their focus to accountability with a real evidenced understanding of the risks to individuals in the way they process data and how those risks should be mitigated.”

We look forward to seeing how efforts to embed rights and enforce the regulation progress over the coming year.


If you’d like help embedding GDPR best practice in your organisation, Grant McGregor can help. Call us today on 080 164 4142.