The last twelve months have been a long teething period for GDPR compliance.
Companies underwent a herculean effort to update their policies and practices in time for the GDPR implementation date. Those who breathed a sigh of relief when 25 May 2018 came and went without the earth opening up under them should be mindful that compliance is an ongoing process, and that non-compliance can have serious reputational and financial consequences.
The following figures reveal interesting trends in consumer and business attitudes towards the GDPR, and data protection authorities’ use of their new enforcement powers.
The number of complaints made to data protection authorities across Europe under the GDPR between May 2018 and January 2019. The most common types of complaints were about telemarketing, promotional emails and video surveillance. This demonstrates that consumers are well aware of their rights, and complaint numbers suggest that they are quick to report breaches to their local regulators.
The highest fine levied so far under the GDPR.
This fine was issued against Google by the French data protection regulator, CNIL. CNIL held that Google’s data processing policies were not transparent, and that it did not have a legal basis for processing data to personalise adverts. This has exposed the tensions between US and European data protection practices, and could mark the first of a series of large fines against US tech giants across Europe. Shortly after CNIL’s decision, Google was fined €1.49bn in unrelated proceedings by the EU competition authority. Google is appealing both fines.
Most fines issued by the UK data protection regulator (the ICO) over the past year have been in relation to pre-GDPR complaints, so it hasn’t had the opportunity to flex its fine-issuing muscle yet. It will be interesting to see the level of fines which it issues in respect of serious and high-profile GDPR breaches. The ICO is currently investigating the Marriott Hotel breach in which personal data of up to 500 million customers was hacked (in some cases including passport numbers), and the British Airways breach of customers’ credit card details.
The number of personal data breach reports made to the ICO from 25 May 2018 to 1 May 2019. Only around 17.5% of these required action from the ICO and less than 0.5% led to either an improvement plan or civil monetary penalty.
The ICO has warned that organisations are over-reporting data breaches. But, in view of the considerable penalties for failure to report, and the absence of any penalties for over-reporting, it is understandable that organisations have erred on the side of caution.
The number of Morrisons employees affected by a data breach in 2014, when a rogue employee published payroll data on the internet. In October 2018 the Court of Appeal had confirmed that, even though Morrisons’ data protection practices weren’t to blame, it is liable to its employees under the principle of vicarious liability. The Supreme Court will consider this later in the year. If the Supreme Court agrees with the Court of Appeal, this means that businesses could incur significant liabilities in the event of a data breach, even if it complies with its obligations under the GDPR. This case is one to watch with interest.
The proportion of marketers who are feeling more positive about the effects of GDPR, according to a study from the Data and Marketing Association. Whilst many marketers were reluctant to cull names from their mailing lists in May 2018, the upshot is that they are now working with more engaged marketing audiences. A majority of marketers have seen an increase in email open rates (74%) and click-through rates (75%) over the past 12 months, while a large chunk have reported a reduction in opt-out rates (41%) and spam complaints (55%) over the last year.
The proportion of SME owners who don’t know who is affected by the GDPR, according to research carried out by Hiscox. Hiscox also found that 9 out of 10 SME owners don’t know the main new rights that GDPR gives to consumers. The ICO recognises the difficulties which SMEs have faced in reaching baseline compliance, and will soon establish a one-stop shop for SMEs.
The next twelve months
There are a number of important developments in the implementation of the GDPR which should take place in the year ahead.
Organisations which process significant amounts of personal data (which nowadays is most organisations) will follow these developments with interest.
Jane Ashford-Thom is an associate in the Reputation Protection department. If you have any queries about any of the issues raised in this article, you can contact the team here.