GDPR caused a headache for businesses a year ago, but has it gone away? Lesley Holmes lets you know the inside story (July 2019 revision).
July 2019 Update:
Two months ago, MHR’s DPO Lesley Holmes predicted that 2019 would be the year GDPR really got going and that 2018 had just been a transitional year.
That prediction has now come true, with a record fine of £183M for British Airways and the UK’s data privacy regulator set to fine Marriott hotels £99.2 Million.
In the case of Marriott, the ICO said that they had failed to review their data practices, similar to the problems at BA. This feels like the beginning of a huge wave of fines for companies who have ignored the warnings.
Lesley pointed out in May that as of May 25th 2018, only half of companies had reported as self-compliant. While BA and Marriott are likely big enough to take the hit, fines like these may spell the end for many other companies who are still not compliant.
Here is the full article for deeper insight and some crucial tips for HR professionals working under GDPR.
Original article, published 22/05/2019.
GDPR was the hot topic of 2018, but what now? Nobody seems to be talking about it, but it hasn’t gone anywhere.
As GDPR drew closer, there were rumours of multi-million pound fines and people being sued over broken rules or misunderstanding what GDPR meant…so did it happen?
Well kind of, yes.
Straight after GDPR got going, one self-styled ‘data freedom activist’, Austrian Max Schrems, sued Google, as well as Facebook and its subsidiaries (which include Instagram and WhatsApp), to the tune of almost $4 Billion.
Officially, three complaints worth 3.9 Billion dollars were filled against Facebook, WhatsApp and Instagram respectively via data regulators in three different EU countries. As well as this complaint, French data protection authority CNIL filled a separate claim for 3.7 billion relating to Google’s android operating system for android, showing wide concern around Googles practices.
The CNL claim was a breach of regulations (rather than data) as Google were accused of not respecting the rights of people to choose how their data is shared when they create an account. CNIL didn’t enforce the penalty for this ultimately, but if Google don’t clean up their act, chances are other authorities will be less generous with their own actions in future.
Despite legal challenges form governments, Schrems made most of the headlines, himself stating that Google were breaking the rules with an ‘all or nothing’ policy, which did not allow users to select preferences, one man took on a behemoth, confident GDPR gave him the backing he needed for success in a legal landmark.
While he was not that successful financially in the end, the case may lead to changes in the way Facebook can use data in Europe still, and remember this is just one man rather than a large organisation or government against Google – which one man almost won.
After Schrems took on Google, more problems were round the corner for the tech-giant.
Despite the Irish Government asking Google to make amends in areas they were seen to be falling short of GDPR compliance (Google’s international office is in Ireland), the French Government were quick to take charge when they didn’t do this.
The result? A fine of 57 Million Dollars.
The result of complaints of two NFP organisations, this fine is very big, there can be no argument around that. Only the thing is, many feel that there can be.
As GDPR-eve was upon us last year, in the last few weeks and days before GDPR took effect, there were rumours that businesses who ignored the warnings would be expected to pay 2-4% of their annual turnover for a major fine. So if Google did this, they’d be looking at a fine of around 2.5 to 5.1 billion (yes, billion!) US dollars. A fine like this, almost surreally makes 57 million pounds look like loose change.
What was the first year of GDPR like?
95,000 people have complained so far over potential breaches, but these have rarely meant legal action, so it seems people are happy for legislators to do the work for them in most instances.
Despite the complaints, it does in fact seem that companies are acting responsibly when self-governing, as businesses have already reported 41,000 potential breaches as of January 2019, a figure which is set to rise, but don’t worry; it’s better for both consumers and businesses that breaches are reported than swept under the carpet.
And that’s just the UK. Across Europe during the same period, 59,430 breaches were reported, displaying consistency among businesses.
Despite most businesses reporting responsibly, at least 91 fines had been issued at the start of 2019, with 60 fines coming from Germany alone. Most those fines related to 2018, which was described by the French data protection authority (CNIL) as a transitional year ‘intended to allow businesses to understand and implement what the GDPR requires’.
This seems to be something businesses are well aware of. As on May 25th 2018 only half of companies reported as self-compliant, despite two years of time to prepare for the new legislation. This may be a lack of preparedness, but if it’s complacency, then the future may be a shock for a lot of people at the business end of hefty fines.
What risks will businesses encounter in the future?
If 2018 is a transitional year, then any date after that must be taken far more seriously, as there has now been plenty of warning and the big fines are starting to mount.
The ‘low’ fine given to Google may be an indicator of a transition to much bigger fines, or it may be a politicised decision as we will discuss in a moment.
The fact remains that organisations can and will be given huge fines by data protection authorities if governments feel they are losing control, or that people have inadequate protection, especially as failing to meet the appropriate requirements for technical and organisational security may lead to major hacking; and data controlled by the state being misused as well.
WhatsApp, much lauded for its state-of-the-art encryption, was hacked recently so the theft of data is something we should be worried about. The circumstances too were concerning, as the hackers were able to infect devices by simply dialling the number, even if unanswered, and then erase the call log.
This was resolved quickly in this case and the group (Facebook own it) were very open about what had happened, but mishandling a situation like this is likely to incur the wrath of the EU and the UK, who do have very real legislative power.
As well as the full remit of state-led fines and punishments, individuals may, like (but not limited to) Schrems; decide to sue organisations directly. This is the norm now in the US and many social commentators feel we’re not far behind, suggesting a very large can of worms could be flying open very soon, with disastrous consequences for negligent businesses; or just those who are still (still!) unclear what the impact of GDPR means – though what is already clear is that the future will include many more class-action lawsuits.
What’s the bigger picture for GDPR?
Big data is big business and those who hold a lot of data are fast becoming the new oil barons, such is the value of data.
To read MHR’s blog on the big data / oil barons debate, click here.
This ownership is losing value under GDPR, as it is harder to just harvest and use data freely for maximum profit, without receiving a penalty as a result. This should always be the case. GDPR has been brought in exactly for the purpose of reducing irresponsible data use.
While the UK government have more or less implemented a cookie-cutter copy of the existing EU legislation despite the Brexit vote, changes will come in the future if it seems the legislation is not right for Britain.
Some commentators have claimed there may be a so-called ‘Brexit light’, letting big businesses get away with more to stimulate the economy, but very few people feel that this will happen. Another reason this might not work too well, is that when you consider that EU GDPR rules will apply to data we share when trading with EU businesses, it will be important to respect data laws; but the future will include a lot more GDPR debate either way.
Whatever the future holds, being responsible with data is still advised as the story of GDPR has not yet truly been written – we’re still on the first page.
Lessons HR & Payroll teams can learn from GDPR so far
As we see it’s been an eventful year, but what are the main things to consider now? Here’s our top five tips:
Did you prepare for GDPR? If you didn’t it’s not too late to make changes, if you did…can you do it better?!
1) With many businesses being let off in the initial period, some businesses are becoming complacent - make sure you are not one of them!
2) Make sure you have regular reviews of your data and if you are big enough to have a dedicated team, make sure you use them. This ensures continuity in everything you do and if you don’t have a team to do this, allocate a data controller and/or speak with your DPO or similar.
3) Are you doing the right thing? If someone decides to sue you for a breach or mishandling of data, then you can relax a lot more if you know you did everything within your power to process your data responsibly and compliantly. Bear in mind though, a thousand employees claiming they have had their rights and freedom impinged could cost a business in the region of £1.2m if they take out a class action (and win). The complaints can add up so don’t let them happen.
4) Make sure you’ve used all the tools at your disposal and take a back to basics approach: Know your data flows, assess, your operations, produce a gap analysis, take action and then review. Simple but effective.
5) Make sure that you are open and transparent about what you are doing with people’s data and why. A simple privacy notice that is easy to read goes a long way to help build understanding and confidence at your business.