On 25th May 2018, the European Data Protection Board [EDPB] launched its new GDPR legislation.
With clear guidelines to increase consumer data protection combined with very clear consequences should businesses breach this ruling, GDPR was a trending term both online and offline last spring. Where many businesses invested time and resource into revising all processes to quickly comply with this legislation, others failed to understand how GDPR would impact their operations, believing simple changes to their digital contact forms made them fully compliant.
Fast forward 18 months, are businesses still concerned about GDPR? And what has changed as a result of this new ruling?
In recent months, there have been increasing reports of significant fines against well-known businesses and brands for breaching GDPR. The first big one was issued by the CINL in France, which fined Google 50 Million Euros. This was quickly followed by ICO issuing notices of intent or fines against British Airways for 205 Million Euros, followed by an additional fine of 110 Million Euros against Marriot Hotels.
A report issued by the EDPB, ‘1 Year from GDPR: Taking Stock’, revealed that 60% of the ‘top 20’ fines issued over the last year related to unauthorised access to personal data, either through cyber-attacks or poor security procedures. For the remaining 40% of the cases, the breaches related to organisations not being transparent enough or operating poor consent, data retention, and minimisation procedures.
Ultimately, this tells us that regulators are working hard to uphold legislation and ensure those in breach face serious consequences.
Increased public awareness & resulting demand
The rise in GDPR fines have somewhat been driven by an increase in public awareness, where 50% of the reported 281,088 cases launched over the last year, were complaints issued by the individual data subject.
As a result, businesses and brands have become increasingly fearful of complaints and fines, driving better compliance and improved cooperation between organisations and regulators.
With increased public awareness, litigation risk is also growing very quickly. Claims firms have been quick to advance and are now starting to support data subjects in bringing individual claims against defaulting organisations. Some are even helping data subjects by automating subject access requests to offer a quick way of forcing organisations to provide documents and access to personal data. This has resulted in a greater administrative burden on organisations, resulting in the growth of in-house data protection teams.
What does this mean for businesses?
Although the ‘hype’ around GDPR has certainly died down, the severity of undermining this legislation still very much applies, with regulators continuing to take a tough stance against any organisation that has or may have breached this ruling.
Although GDPR may no longer dominate the headlines, the last 12 months have seen a vast increase in data protection breaches, demonstrating that despite the vast media campaign, businesses – and large ones at that – are still failing to comply.
All organisations, particularly those that hold a lot of consumer data, need to dedicate the time and resource to consistently review existing processes to ensure thorough compliance with GDPR. In its hype, businesses and brands focused a lot of efforts on email marketing, without truly understanding the extent to what GDPR covers, which, for many, is where this concerning gap lies.
Aside from being slapped with a hefty fine, businesses failing to comply with GDPR also risk reputational damage, diminishing stakeholder trust and potentially impacting growth. In uncertain economic times, this could certainly be too much of a risk to take.