Welcome to the third week of our Data Round Up blog series! In this edition, we re-visit GDPR. In May of 2018, the General Data Protection Regulation was implemented into EU law. As “the most important change in data privacy regulation in 20 years,” this regulation strengthened data protections for all EU citizens while forcing companies to adapt and comply, or else risk being fined. Upon revisiting GDPR, we strive to understand what impacts it has made in the past year, where companies are currently at, and how it will continue to effect business in the future. Let’s dive in!
One of the largest impacts of GDPR implantation has simply been an increase in data protection rights awareness. According to a recent European Commission survey, 67% of EU citizens have heard of the GDPR and 57% are aware of the existence of a data protection supervisory authority in their own country. When it comes to overall EU reach, the Data Protection Board (EDPB) cited over 144k queries and 89k data breach notifications made to EU supervisory authorities in the last year. Additionally, the GDPR seems to have expanded its influence outside of the EU. Brazil, Japan, New York, and California have all had similar legislation introduced within the last year. For enforcement, as of February, the EDPB noted eleven supervisory authorities had issued administrative fines under the GDPR totaling €55,955,871.
One of the biggest question’s post-GDPR implementation was whether large companies would take the regulations seriously and change how they handle data, or simply take on fines as the cost of doing business. This summer, it appears companies are learning the hard way that these regulations require their full attention and respect.
In July 2019, the ICO handed down a record fine of £183 million to British Airlines. This is due to a hacker’s breach of their website dating back to June 2018. About 500,000 BA customers had their data harvested as a result. While British Airlines is currently appealing, this fine would be 367 times bigger than the previous record fine of £500,000. The previous record belonged to Facebook over the Cambridge Analytica scandal. Under new GDPR regulations, fines up to 4% of a company’s annual global turnover are fair game. £183 million is equal to 1.5% of their 2017 annual global turnover.
Marriott has found themselves in a similar position this summer. While they also plan to appeal, the ICO has handed them a fine of £99.2 million. This fine is due to a weakness in their website security which allowed unauthorized individuals access to their guest database. In a statement explaining their intention to fine Marriott, the United Kingdom’s Information Commissioner Elizabeth Denham stated, “The GDPR makes it clear that organizations must be accountable for the personal data they hold. This includes carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.” A lack of data accountability results in serious punishment, as is evident from these fines. While enforcement is still in early stages, it appears any semblance of a grace period is over.
GDPR Moving Forward
The recent hefty fines from the ICO have made it harder for companies to defer security investments until a later date. As one leading internet security firm puts it, “Security performance has to be measured and managed in the same way as other business issues. The price to pay for not doing so is getting higher.” It’s important to note that this indicates compliance is an ongoing process. Data protection procedures and processes must be monitored and enforced. Despite some companies feeling “GDPR fatigue,” compliance requires more than checking boxes, as it did a year ago in 2018. Moving forward, one can expect supervisory authorities to make greater use of their enforcement powers, with the issuance of greater administrative fines for companies which neglect proper data security measures. Following suit, one should expect more and more companies to have some urgency with their data security efforts.
If you enjoyed part 3 of our weekly data round up series, make sure to like and share. Find the sources used in this blog here, here, and here. To check out part 2 of the series, click here. We’ll see you next week for part 4!