As we approached May 2018, there was no escaping the impending general data protection regulation (GDPR). Following its announcement, we watched our inboxes fill with ‘opt-in’ marketing emails from brands we forgot we followed and saw unprecedented levels of panic as businesses grappled with the reality of what it could mean for them, their customers and their data.
The volume of publicity around GDPR can be explained by the increased risks of failing to comply – the top fine soared to 4 per cent of turnover from a previous maximum of £500,000. That, coupled with increased publicity around how personal data is used by corporate giants, led to an overheated environment surrounding GDPR’s implementation.
So, has the dust settled nearly six months on? Most businesses are quietly getting on with GDPR compliance – no-one can put their feet up and so we’ve reached a ‘new normal’ when it comes to personal data. The road to compliance has been a complex one and we’ve observed a number of trends.
Since GDPR’s implementation, the Information Commissioner’s Office (ICO) highlighted a 160 per cent increase in the number of security breaches reported between 25 May and 3 July 2018 compared to the same period last year. Data breach reporting was a new requirement of GDPR and one of the more dramatic outcomes of the regulation.
We’ve seen concerns around how to report a breach, which can be anything from an employee’s payslip being sent to the wrong person, to a large-scale cyber-attack. There’s a lot of work going on behind the scenes to manage the reporting of security breaches.
GDPR has also seen consumers become more aware of their rights, with many companies experiencing an exponential spike in Data Subject Access Requests (DSARs) from customers looking to find out what information businesses are storing about them.
Companies with large customer bases have experienced more requests than others, but they require significant resource to process, and some can involve thousands of documents. Many law firms saw the potential for DSARs to soar, and we’ve been helping clients use technology and DSAR teams to streamline their response.
Another outcome of GDPR is the potential for class action claims. We’ve recently seen the first-ever class action case in the UK to stem from a data leak, where an employer was held to be liable for the malicious actions of a disgruntled employee.
This has opened the gate for further claims following the introduction of GDPR and has prompted businesses to consider risk control action, such as further limiting workers’ access to data or introducing enhanced insider threat monitoring technology.
Business insurance in the event of a data breach is another factor companies are being forced to think about. A fine isn’t the only consequence, it’s the rectification costs that can really affect a business, with statistics suggesting it could cost £250 per client record compromised after cyber consultants and other professionals are engaged, data is recovered, and individuals are compensated. For organisations with millions of customers, that’s a lot of money to set things straight and we’re urging clients to examine their insurance policies to be sure of what they cover.
As the business community comes to terms with GDPR changes, we’re looking at what’s next. In the aftermath of the Facebook and Cambridge Analytica scandal, we’ve seen the use of online personal data profiling attract regulatory action on a global scale.
Facebook received a fine a few weeks ago from the ICO for allowing the now infamous “thisisyourdigitallife” app to access personal data for profiling without informing users or gaining their consent. As this breach happened pre-GDPR, the ICO could only issue the maximum penalty that applied at the time (£500,000). We haven’t yet seen a fine issued by the ICO under GDPR as a full investigation takes time, and we’re waiting with interest to see what patterns evolve as the first GDPR fines emerge across the UK and Europe.
Meanwhile, the regulatory focus on responsible use of technology continues with another new regulation on the horizon. Post GDPR, the E-Privacy Regulation is set to further reform the law on online messaging, use of location data and device tracking. Although not yet final, it’ll have a significant impact on how online user activity is monitored, and we’re already seeing businesses making changes to stay ahead of the regulatory curve.
Helena Brown is Partner and Head of Data at Addleshaw Goddard