GDPR: One year on, contractors mustn’t get complacent

Unlike their larger counterparts, small-ish outfits should have seen the GDRP’s one-year anniversary on Friday as cause for a bit of a celebration. Penalties for flouting the legislation have been a non-issue, and that means officials have, refreshingly, kept their promise to use the carrot and not the stick, writes Charlotte Gerrish, founder partner of Gerrish Legal.

But if you’re HMRC, you probably won’t be wishing data officials ‘many happy returns.’ At least not sincerely. In fact, the UK’s first GDPR action was against the Revenue for collecting (without valid consent) some five million voice records. A well-known search engine is likely to have forgotten to send the Information Commissioner’s Office a birthday card as well, as they too have come unstuck under the May 2018 regulations.

More complaints, more breaches

And actually these two giants could be the big names of a wider trend. A look at the ICO’s reported stats shows that since the GDPR came into force, the office has received 14,072 data breach notifications – up from just 3,311 the prior year. So a four-fold increase. Similarly, complaints from the public have doubled over the same period – from 21,000 (pre-GDPR) to a touch over 41,000.

However, it should be remembered that the GDPR extends far beyond Europe’s borders as even foreign companies, if they are processing the data of European citizens (including data analytics) or targeting services towards Europe, fall under its scope. Given its wide application, it is easy to see how the GDPR has been making waves, and inspiring many to come forward to exercise their new rights or to flag up their concerns.

Before the GDPR’s implementation, the majority of companies reported some level of concern when confronted with the provisions. However, in its first year, it seems to me that the regulators and supervisory authorities have been somewhat kind to those that fall under its reach. Hearing from the ICO that 91 corporations have been issued fines accumulating to a grand total of €56million doesn’t sound great. Yet when you take into account that €50m of that total was issued to a single company -- almost everyone’s favourite search engine, it really puts everything into perspective.

Soft! Or just pragmatic?

There are some who are criticising the authorities for being ‘soft’ when issuing fines under the GDPR. But perhaps they have just been pragmatic. The authorities could have easily used the full force of the GDPR and issued fines of up to €20mi or 4% of a company’s global revenue – which the legislation permits.

The aim of the GDPR is more subtle, however. It’s not to financially ruin companies and send them down the path to insolvency. It’s actually to coax companies into setting up better practices to protect consumer data. This ideology becomes evident when looking at the fines that have been issued under the GDPR.

In particular, companies that advised the relevant authorities and individuals and took all the appropriate steps when faced with a data breach have been dealt sanctions, and these sanctions reflect their efforts to remediate the situation. By contrast, other corporations that showed little regard for the GDPR have been given heftier fines -- interestingly, even if the breach occurred on a smaller scale.

Enforcement, 'the next step'

Yet the current wisdom at a GDRP conference I’ve just returned from is that these “reasonable” fines are not here to stay. Given that the GDPR is still relatively new, the authorities really are giving companies a chance to get up to par – for now. We’re in a sort of transition period. Heavier fines with the full force of the GDPR behind them are surely on their way. As the ICO’s deputy commissioner Steve Wood said last week: “Enforcement is the next step”.

Last year though, there was a huge reaction to the GDPR. Alongside others in the data protection space, I saw companies scramble to get their procedures in line with the new rules. One year on, when maximum fines haven’t really been levied – and certainly not at smaller-level businesses, only large multinational corporations, there might be the temptation to do as little possible.

My belief is that the EU has been giving companies a chance to get their procedures in place and going forward, it will now not be so forgiving. So potentially imminently, the GDPR is not just a standard to work towards -- it is a level that is required.

Speculation, innovation, and cake

A question still nagging is whether the GDPR will continue to apply in the UK after Brexit. The accurate answer, for now, is that we can’t know for certain. The UK has been one of the largest data protection promoters globally and it does have its own national laws in place which match the standards of the GDPR. Legislation so far seems to promise that these rules will remain in place, but it is possible that the UK will need to apply for an ‘adequacy decision’ from the EU, declaring that its data protection laws are acceptable and EU companies are entitled to transfer data to and from the UK. This could take time and it is uncertain. For now, anything further is speculation.

Focus instead, I suggest, on innovation. This should be at the forefront of all our minds. Why? Well, the GDPR changed the landscape for businesses, especially entrepreneurs and tech companies, entrusting them with important responsibilities. A balance needs to be struck in order to ensure that these obligations are not so onerous that businesses can no longer be daring and innovative. The laws must be modern too -- the current ‘right to be forgotten,’ for example, is creating a sticking point with new Blockchain technologies. Legislators must keep up-to-date.

And industry people, especially those in smaller operations or companies where GDPR enforcement or compliance are currently little more than buzzwords, must not get complacent.

Indeed, those who are following the rules, and those who are making the rules, should endeavour to ensure the right framework is in place for all our protection, and that it is conducive to an innovative environment. That’s my GDPR birthday wish this year, which has a chance of coming true by the time we potentially cut the cake in May 2020 for GDPR turning two-years-old.