GDPR 1st birthday
On the occasion of GDPR’s first birthday Nick Mathys reflects on the business challenges, enforcement and why compliance matters.
Described by The Economist in its World in 2018 publication as the “…the most complex piece of regulation the EU has ever produced…”, the implementation of the General Data Protection Regulation (GDPR) on 25 May 2018 was intended to provide individuals with increased transparency and control over how their personal data is used in the digital age.
The GDPR aimed to redress the privacy imbalances created by the rapid rise of the Internet, social media, online advertising, automated decision making and other exploitation of personal data made possible by rapid technological advancements.
For their part, such organisations were expected to overhaul their businesses to comply with the world’s strictest data protection laws and foster a “culture of privacy” throughout all aspects of their operations. Onerous financial and reputational sanctions could be imposed, should they fail to meet the necessary standards.
As the GDPR comes up to its first birthday on 25 May 2019, we look at the challenges which businesses face in complying with the new law, how it is being enforced and why businesses still need to take it seriously.
How are businesses meeting the GDPR compliance challenge?
Creating and embedding the complex and extensive policies and processes required by GDPR has generally been easier for businesses which operate in sectors where the handling of data was already highly regulated. For example, businesses in the finance, pharmaceuticals and telecoms sectors, or those which had self-certified to rigorous technical standards such as ISO 27001 for information security management.
Such businesses have been able to meet the challenge of GDPR compliance by extending their existing compliance frameworks, a task made considerably easier by an existing culture of compliance and robust IT security systems and procedures.
For most businesses, however, the hurdle of GDPR compliance continues to remain high, commonly due to the following reasons:
- Raising awareness effectively across the workforce: Staff are both the greatest risk and defence for GDPR compliance. Effective training is therefore essential to minimise breaches and ensure effective responses to data incidents. Raising awareness and changing how staff work remains very resource-intensive, however, as all areas of the business must be covered and specific training is required for each area.
- Creating effective compliance documentation: Whilst the GDPR envisages the creation of standard form compliance documentation approved by the EU or national regulators, this has yet to appear. Meanwhile, regulatory guidance continues to emphasise the importance of businesses creating bespoke documentation to reflect their own data processing activities. The absence of readily available approved documentation has led to many businesses delaying their compliance projects or focusing only on the visible ‘easy wins’ such as updating their website privacy notices, while failing to address high risk areas such as training staff and ensuring that only GDPR compliant providers are used for core IT systems and maintenance.
- Guidance is lengthy, nuanced and incomplete: Since 25 May 2018, there has been a huge effort by the Information Commissioner’s Office (ICO) in the UK, and the European Data Protection Board (EDPB) at a EU level, to prepare guidance for assisting businesses in understanding how GDPR applies at a day-to-day level. Yet any business which is seeking clear concise answers to everyday questions must wade through long and complex guidance; for example, the ICO’s Guide to the GDPR is now more than 300 pages, and the EDPB’s guidance on transparency (i.e. privacy notices) alone is 40 pages. Guidance on other core areas, such as the regulation of employee related personal data and of sharing data with other organisations, has yet to be published.
These hurdles continue to result in many businesses not knowing how to start or continue their GDPR projects, and therefore delaying important action. Our experience with SMEs and global corporations alike is that it is essential to adopt a robust risk-based approach. Such an approach is endorsed by regulators and allows resources to be focused on identifying and addressing the areas of highest data risk in the business, providing the first crucial handhold for a business to start its GDPR compliance programme.
How has the GDPR been enforced?
Dramatic newspaper headlines in May 2018 created the impression that non-compliant businesses would be at immediate risk of onerous fines of up to 20 million Euros or, for major international businesses, up to 4% of worldwide annual turnover. In practice, the first year of enforcement action has been underwhelming and created mixed messages for businesses:
- Few GDPR fines: Regulatory investigations take time, usually years, before a fine is imposed. The fines imposed by regulators since 25 May 2018 have mostly been in respect of breaches that happened before then, and so fines have often been limited to the maximum amounts permitted under pre-GDPR laws. In the UK, this was illustrated by the ICO’s imposition of a fine of £500,000 against Facebook in October 2018, and of £385,000 against Uber in November 2018, both small fines considering the magnitude of the breaches and global revenues of the organisations.
- Google, the obvious target: The single significant GDPR fine to date has been the EUR 50 million fine issued by the French regulator CNIL in January 2019 against Google LLC for breaches relating to its privacy notices and consent for ads personalisation. It was widely expected that Google would be one of the first multinational companies to be fined under the GDPR, and that the fine would be significant and represent the extreme end of GDPR fines. From that perspective, the EUR 50 million fine was viewed as lenient, especially compared to the recent multi-billion Euro fines against Google under EU anti-trust laws. Many businesses have interpreted CNIL’s decision as a sign that GDPR fines will not be as high as they were led to believe.
- Too many breach notices and complaints: Regulators are overwhelmed by the thousands of GDPR breach notifications and complaints they are now receiving each month. Despite regulators having more staff (the ICO has over 700), significant resource is consumed by the administrative effort of processing notices and complaints, which appears to have led to a drop in ‘regular’ enforcement action against businesses.
Why GDPR still needs to be taken seriously
Despite the many challenges of GDPR compliance and the lack of aggressive enforcement action to date, there are still compelling reasons for businesses of all sizes and sectors to take GDPR compliance seriously:
- Commercial necessity: Customers, suppliers, business partners and other stakeholders expect the businesses they deal with to be GDPR compliant and are increasingly requesting evidence and confirmation of such compliance.
- Reputational risk: Regulators typically publicise their enforcement action against non-compliant businesses, even if no fine is imposed. This can damage trust in a business, not only among its customers but also, increasingly, among potential acquirers or joint venture partners. GDPR non-compliance is now often a ‘red flag’ issue in the due diligence process for corporate transactions.
- Group litigation: Increasingly a threat to businesses with large workforces or consumer customer bases, group litigation for data breaches is becoming more common as it has been spurred on by the rise of ‘no win no fee’ models and the ability for individuals to claim damages purely for distress when no actual damage has occurred.
- Bigger fines are coming: Businesses should not take false comfort from the first year of enforcement action; ongoing regulatory investigations into major data breaches will start to culminate in significant GDPR fines over the coming months and years.
- Cyber resilience: Businesses which strive to achieve GDPR compliance will naturally improve their resilience to cyber-attacks and other information security compromises.
- Brexit: No matter what happens with the Brexit process, the UK Government has been consistent and unequivocal in its approach that the UK will maintain data protection laws equally as rigorous as the GDPR. Complying with the GDPR therefore lays the foundations for a business to comply with future UK data protection laws.
At Lewis Townsend LLP, we specialise in advising on all aspects of data regulation, from implementing national and cross-border GDPR compliance projects to advising on the GDPR regulatory aspects of corporate transactions, carrying out clinical trials, and launching new online services. Our clients span all sectors, from multinational financial institutions, technology providers and telecoms carriers to industrial manufacturers, app developers and e-commerce companies.
Please feel free to contact our Head of Data Protection:
Nick Mathys, Partner
T +44 20 7096 0298
M +44 7375 527 040
Note: the contents of this update are provided as at 24 May 2019 for information purposes only and do not constitute legal advice on specific circumstances.