It’s been six months since the GDPR (General Data Protection Regulation) took effect, and for many people fatigue has already set in: mention the GDPR and you’re likely to get little more than a weary shrug in response.
“That didn’t come to much, did it?” they say. “No one’s even been fined.”
In fact, we’re very much in the eye of the storm as far as regulatory action goes and there’s no room for complacency.
The first GDPR fine was issued in Austria in October; another was issued this week, in Germany; supervisory authorities across Europe are busy investigating GDPR breaches; and the European Data Protection Supervisor, Giovanni Buttarelli, told Reuters last month that he expects to see widespread regulatory action by the end of the year.
He said: “I expect first GDPR fines for some cases by the end of the year. Not necessarily fines but also decisions to admonish the controllers, to impose a preliminary ban, a temporary ban or to give them an ultimatum.”
The first GDPR enforcement notice was issued by the UK’s supervisory authority, the ICO (Information Commissioner’s Office), on 24 October, to Aggregate IQ Data Services Ltd as part of the Cambridge Analytica/Facebook scandal, and the ongoing investigation into British Airways promises to be a test case.
The greater of €20 million or 4% of annual global turnover?
The Regulation states that the administrative fines issued should be “dissuasive”, as well as “effective” and “proportionate”.
Although the ICO maintains that maximum GDPR fines are a last resort, the past few months have seen it issue the £500,000 maximum fine available under the Data Protection Act 1998 to Facebook and Equifax, which could well be a sign that it is flexing its regulatory muscles in preparation.
And how much would it take to dissuade others from persisting with poor security measures, out-of-date systems and software, and poorly trained staff? For organisations such as British Airways a £500,000 fine is, frankly, peanuts. A £500 million fine, on the other hand, would make a real difference.
However the ICO chooses to approach data breaches under the new regime, we shouldn’t forget that the GDPR allows for data subjects to take legal action against data processors for failing to secure their personal data, so even if the ICO feels no immediate urge to exercise its new powers to the greatest extent possible, data controllers are not safe from the impact of breaches.
The recent Morrisons case – in which the courts found the supermarket vicariously liable for the actions of a malicious employee who leaked payroll information – caused many to sit up and take notice.
Add the likelihood of reputational damage to the increased risk of class actions against data controllers, and you should have ample incentive to ensure that all your data processing activities are mapped and appropriately secured so that you can demonstrate to the ICO that you’ve taken the appropriate technical and organisational measures to address the risks you face.
Catching up: it’s not too late to comply
We’ve conducted a survey to determine the extent of organisations’ GDPR compliance in the months after the Regulation took effect. We found that:
- Only 29% of companies had implemented the necessary changes to achieve GDPR compliance.
- 59% of respondents were aware of the changes to DSARs (data subject access requests), but only 29% had plans to adapt their processes to address them.
- 61% of respondents had implemented basic security controls to address data security and breach management.
GDPR compliance is an ongoing process. Organisations that were not fully compliant by 25 May have not missed the boat – nor should those few that then complied sit back and assume that their work is done.
Accountability is a key principle under the GDPR: you must not only comply but also be able to demonstrate that compliance. This means documenting your processes and procedures, and regularly checking them to ensure they’re still fit for purpose.
Our GDPR compliance checklist sets out eight areas you should address to ensure you can demonstrate your compliance:
- Establish an accountability and governance framework
- Scope and plan your project
- Conduct a data inventory and data flow audit
- Conduct a detailed gap analysis
- Develop operational policies, procedures and processes
- Secure personal data through procedural and technical measures
- Monitor and audit compliance