GDPR in 2019 – Things we have learned 1 year after GDPR

July 22, 2019 10:50 am Geraldine Strawbridge GDPR in 2019

Well, it’s been an eventful few weeks. As we passed the 1-year anniversary of the implementation of GDPR, it seemed that many organisations had remained relatively unscathed from the threat of financial sanctions for non-compliance with the new regulation.

According to the European Data Protection Board, regulators in 11 countries issued fines totalling €55.96 million for GDPR violations. However, the bulk of this figure related to the €50 million fine issued to Google by the French data protection commission (CNIL). The company had been held to account for processing personal data for advertising purposes without obtaining the permission required under GDPR.

Organisations breathed a collective sigh of relief that the fines were not as widespread as initially anticipated, but over the course of two days, the Information Commissioner’s Office (ICO) unleashed its might.

British Airways was fined a massive £183 million for a security breach that exposed the personal data of over 565,000 customers. And just a day later, the international hotel group Marriott, was fined £99.2 million for a huge data breach that exposed the personal data of 339 million guests across the world. The ICO confirmed that about 30 million of the hacked records related to residents of 31 countries in the European Economic Area.

It’s worth noting that in both cases, the ICO did not impose the maximum fine of 4% of global annual turnover. Fines are dependent on the severity of the breach and the level of cooperation involved. British Airways fully cooperated with the ICO and was in turn fined 1.5% of its global annual turnover. If the ICO had sought the maximum 4% of the company’s total revenue, the fine could have been a staggering £489 million.

Clearly, both fines are a game-changer for GDPR and have paved the way for even larger fines to be issued in the future. The ICO has demonstrated just how seriously they intend to take violations of the regulation and organisations have become acutely aware of the consequences of non-compliance.

What have the last 12 months taught us?

The last 12 months have been a steep learning curve for many organisations. Compliance with the GDPR was never going to be an easy process but for some organisations, especially larger multinational companies, it has proved an arduous task. Huge amounts of data spread across a wide variety of platforms, endless access points, and an increase in data requests have made compliance more difficult than many could have imagined.

GDPR has certainly made its mark on the world and over the course of a year it has led to the following:

Increased Reporting

The GDPR appears to be encouraging data breach reports with almost 60,000 reports being filed since the privacy law came into force on 25 May 2018. The data breaches ranged in severity from minor breaches to major cyber-attacks affecting millions of people.

Consumers have also become more cognisant of their privacy rights. After the GDPR came into effect, the ICO reported a 160% increase in complaints, and the Irish Data Protection Commission recorded 6000 complaints within the same period.

Need to secure supply chain

The attacks on British Airways and Marriott once again highlight the ongoing difficulties faced in securing a company’s supply chain. The BA breach bears all the hallmarks of a Magecart attack. The threat group is known for injecting card-skimming scripts into vulnerable e-commerce domains. To gain access to BA’s valuable customer data, the group is thought to have exploited a vulnerability in an older version of the e-commerce platform Magento, which is used by the company.

In Marriott’s case, the breach is reported to have originated in the Starwood guest reservation database, prior to the company merging with Marriott. Cybercriminals appear to have shifted their strategies and rather than target a company directly, they are attempting to inflict damage by exploiting vulnerabilities in its supply chain network.

To avoid falling foul of the legislation, organisations will need to conduct detailed risk assessments of suppliers and monitor their GDPR compliance.

Need for Staff Training

The GDPR states that employees need to receive regular information security staff awareness training. The training is key to ensuring that staff are knowledgeable about company policies, regulations, and the legal requirements that apply to their day to day role.

Indeed, the ICO specifically asks on their personal data breach notification form if staff involved in the breach have received data protection training within the past 2 years. If organisations are unable to demonstrate this, further inquiries will be made.

Organisations need to prove that staff have both read and understood GDPR Policies. Being able to evidence this puts organisations in a strong position to demonstrate that ‘Privacy’ has become an integral part of their day to day business.

Importance of Data Protection Officers (DPO)

According to the IAPP, more than 500,000 organisations are estimated to have registered DPOs since the GDPR came into effect. Data Protection Officers play an important role in the protection of privacy and are central to effective accountability. For organisations that carry out certain types of processing activities, it’s mandatory to appoint a DPO.

A DPO must be appointed if:

  • You’re a public authority
  • your core activities require large scale, regular and systematic monitoring of individuals
  • your core activities consist of large-scale processing of special categories of data or data relating to criminal convictions and offences

The DPO should be an expert in GDPR and privacy practices, as they are responsible for the monitoring and reporting of GDPR compliance. DPO’s are expected to help guide Data Controllers and Data Processors by auditing internal compliance and suggesting suitable corrective recommendations where necessary.

So, what’s next for GDPR?

Within the space of a year, the GDPR has massively shaped the global privacy landscape. The regulation has prompted many other countries around the world to take a closer look at their own security and privacy laws.

Argentina and Japan have already started to align their national data protection legislation with the GDPR, and Brazil has implemented a similar legislation called the General Data Protection Law that will come into effect on the 15 August 2020.

Within the US, the states of California, New York and Colorado have passed local data privacy laws and the US Congress is considering a federal data privacy law as pressure mounts for stricter data protection across the country.

There’s no doubt that GDPR has been a force for good and prompted organisations to take privacy protection more seriously. If adhered to correctly, the GDPR enables organisations to become more cyber secure, efficient and competitive within the marketplace.

By demonstrating GDPR compliance, companies are likely to benefit from reduced organisational risk and build greater levels of trust with their customers. This transparency will, in turn, enhance brand reputation and lead to the development of more meaningful relationships.

However, as cybercrime evolves, and criminals become more deceptive in their attack methods, organisations will need to continually address privacy and security risks to ensure they are accountable for the personal data they hold and compliant with the legislation.

MetaPrivacy has been designed to provide the best practice approach to data privacy compliance. Contact us for further information on how we can help your organisation improve its compliance structure.

DISCLAIMER: The content and opinions within this blog are for information purposes only. They are not intended to constitute legal or other professional advice and should not be relied on or treated as a substitute for specific advice relevant to particular circumstances, the Data Protection Act, or any other current or future legislation. MetaCompliance shall accept no responsibility for any errors, omissions or misleading statements, or for any loss which may arise from reliance on materials contained within this blog.