One year on
It has been nearly a year since the EU’s General Data Protection Regulation (GDPR) came into force in the UK on 25th May 2018. The data protection law was designed to provide EU citizens with more control over data that was held about them.
GDPR aims to improve the way that businesses handle their customers’ personal data in terms of data collection, processing and storage.
Complying with GDPR
Over the past 12 months, the European Commission has fined businesses that have failed to comply with GDPR. Fines have totalled nearly €56 million to over 91 companies, most of which was the €50 million fine to Google in January 2019.
GDPR has also acted as a blueprint and inspired a global movement that has seen countries around the world adopt similar privacy laws.
Benefits so far
- Improved cybersecurity – There has been a strong correlation between GDPR compliant businesses and lower rates of reported data breaches.
- Working together – Not all GDPR infringements lead to fines, they can include warnings, reprimands, temporary bans on data processing etc, depending on the severity of the breach.
- Customer loyalty – Customers trust and value businesses that openly protect their privacy, so GDPR compliance has instilled confidence in brands.
The ongoing challenges
- The cost of compliance – Policies and processes needed to be updated and implemented, and many businesses employed staff to guide them on GDPR compliance. Data storage and cybersecurity are also top priorities for GDPR compliant businesses, which are additional costs.
- Penalties – A potential fine of 4% of global annual turnover is the penalty for being non-compliant, or €20 million, whichever is greater. Research has found that many people want more clarity over the fines and the severity of breaches.
- Uncertainty – There are still a lot of businesses that are unsure about GDPR regulations and how to respond to a data breach. More education is needed!
Whilst GDPR has made significant improvements to many businesses and the way that they handle data compliance, there are still a lot of grey areas. The number of breach notifications and complaints are not equal to the number of fines that have been charged, meaning that data protection authorities have chosen to give warnings instead. Only the most serious data breaches have been allocated fines, which have been high profile cases in the press. Other notifications have been related to telemarketing, promotional emails and video surveillance.
“Aside from the jargon and scaremongering – GDPR has acted as more of a proactive force, ensuring all businesses take a good long look at their data compliance and cybersecurity strategies. The introduction of GDPR a year ago has certainly shed more light on where some companies have been going wrong and has also meant that customers look more critically when choosing where to store and process their data.” – Graham Marcroft, Operations and Compliance Director at Hyve Managed Hosting.
[NB: We recommend that businesses regularly check that they are still following the GDPR main principles and familiarise themselves with how to report data breaches.]