Twelve months on from the implementation of the new data protection rules, known as GDPR, European data protection agencies have issued fines totalling €56m from more than 200,000 reported cases – and, although most of the €56m came from Google, watchdogs have said the data protection agencies are just warming up.
Most of the cases we’ve seen in the media and the 200,000 cases mentioned above have been from foreign data protection agencies. In the UK the ICO is yet to issue any fines for data breaches although it has said that there are some GDPR cases in progress and investigations take time. For the past year the ICO has mostly been focused on legacy investigations, with fines handed to Uber, Facebook and Equifax. Therefore, it remains to be seen how severely those in breach of GDPR will be treated but non-compliance is not a gamble worth taking.
Possibly the most significant change resulting from GDPR in the last 12 months is the number of companies self-reporting over data breaches. According to the ICO reports of self-confessed data breaches in the first month came to 1,700 which then levelled out a little to an average of 400 coming in per month. That’s still quite a number of companies who are in breach of data protection rules and that number is just those who understand that they should report it and, indeed, did report it.
It is also worth noting that about half the complaints the ICO received in the last 12 months were about the way subject access requests have been handled. Therefore, businesses should make sure they are capable and ready to respond to a SAR should they receive one.
So, it would seem that the last 12 months has been a ‘transition year’ where the ICO has focused on finalising the rules and their approaches and spent a lot of time tying up probes under the previous regime. If businesses are still unsure if they’re GDPR compliant, we recommend that they seek legal advice – the cost of non-compliance far outweighs the cost of making sure you have your GDPR house in order.