GDPR – Where are we now?
It has been over 15 months since GDPR was fully enforced. Staggering amounts of resources were allocated by businesses for the regulation, with one report stating that UK companies were spending an average of £1.3m to comply with GDPR, including a significant amount of time and manhours to ensure compliance standards were met. But has this time and money paid off? Are businesses fully compliant when it comes to data protection? We took a closer look at these questions and the impact GDPR has made so far, along with the potential effect that Brexit could have.
Whilst it would be almost impossible for you not to know what GDPR is, for this blog we will do a little recap. GDPR stands for General Data Protection Regulation and is the core of Europe’s digital privacy legislation. Before this, regulation over data protection for the EU was governed by the Data Protection Directive from 1995. Obviously, there have been significant changes and advancements in digital technology since then, along with a transformation in social media’s role in all our daily lives, meaning that a need for new, modern and fundamentally different regulation needed to be enforced.
From the 25th May 2018, all organisations needed to be GDPR compliant. What does this mean? Organisations had to ensure that all personal data gathered was done so legally, following strict guidelines and with full consent. Furthermore, those who collected this data had to ensure it was protected from any potential misuse or exploitation. Failure to do so would result in serious penalties. In the run-up to the 25th, you will probably have been inundated with emails asking you to agree to new privacy and consent policies.
15 months on
Since GDPR came into effect, more stories have come to light regarding poor security implementation leading to private data falling into the wrong hands, with serious consequences. One of the biggest fines to date has been to British Airways, who were fined £183 million for a series of data breaches in 2018 which involved data belonging to approximately 560,000 users being stolen, including payment information. These stories highlight the serious need for continuous improvement in data protection and increased cybersecurity as, although many SME and micro businesses having engaged formally with cyber risk policies and processes, many are still not prepared for a data breach and have not implemented essential security steps.
So where are we in terms of numbers?
From 2019 it has been reported that:
- Over 95,000 complaints had been made to EU national data protection authorities (DPAs) by individuals who believe their rights under the GDPR have been violated
- More than 59,000 data breaches were reported across Europe in the first 8 months since GDPR was implemented
- Less than two thirds (59 per cent) of UK businesses are aware of the implications GDPR will have on their organisation
- Just six per cent of UK businesses have prioritised GDPR, compared to 30 per cent in France and 25 per cent in Benelux
So, what does this tell us? It would seem that businesses still have a long way to go before they become fully compliant. It has been a steep learning curve, with some companies dealing with an untold amount of data across varying platforms and sources. But it’s not all bad. GDPR has forced a global incentive for companies to take privacy protection more seriously, providing clear processes in which organisations can become more cyber secure. It has also created a society more educated on data privacy and their rights. Those companies who can demonstrate their compliance can build greater levels of trust with their customers.
With GDPR applying to all companies based in the EU, many have been questioning what effect Brexit will have upon GDPR and whether there will still be the need to follow the legislation outlined. The short answer is yes, but it does get complicated. The UK did play a leading role in the creation of GDPR legislation and has long been committed to increasing the effectiveness of data protection laws. Based on the EU Withdrawal Act, upon leaving the EU, GDPR would work in conjunction with UK domestic law and the Data Protection Act of 2018.
However, the UK could be looking at being given ‘third country’ status, meaning that the transference of data between UK and EU organisations will be subject to strict rules set out by GDPR. Data transfers to the UK will certainly be more complicated than they currently are, and things get more complex when you look at the implications around ‘adequacy’ and a ‘no-deal Brexit’.
Adequacy status is granted to those countries outside of the EU that have demonstrated, through meticulous testing, a level of data protection that is an equivalent level to that of the EU. However, with a no-deal Brexit being an increasingly likely outcome, the UK and EU would have no deal covering data protection and transference, meaning that the UK would not automatically be granted this status. This would lead to a lengthy assessment process to obtain adequacy status, which could take months or even years and could still end in a refusal.
Organisations are now being encouraged to work with their EU partners to ensure compliance and identify a legal basis for data transfer in preparations of a ‘no-deal’ Brexit.
Looking to the future
Whilst there is uncertainty surrounding Brexit, there is no question that data protection regulation will remain consistent in the UK both before and after leaving the EU. Many companies are still not compliant, despite heavy fines being issued to large companies. It may be a long and arduous road ahead, but for the security of people’s data, it is one that organisations will have to take.
Should you be needing help with recruiting data protection and cybersecurity professionals, please get in touch with David Pynor, Head of Technology, on 020 3587 7905. Or you can email at email@example.com.