GDPR – A Year On, What Have We Learned?

In May last year, the EU brought in significant changes to the way businesses manage individuals’ data. It’s now been over a year since the General Data Protection Regulation (GDPR) was implemented, so what have we learnt?

There have been a number of pretty high profile data breaches and subsequent fines since the inception of the GDPR, most notably Facebook last year, and the recent British Airways fine of £183 million and Marriot Group fine of £100 million. At the very least, this demonstrates that businesses should take it seriously. Large businesses have clearly been affected, but what about smaller businesses? How has the introduction of the GDPR affected them; those who initially invested a lot of time and energy into making sure that they did everything they could to be compliant?

Does anyone in a smaller business really have a full understanding of compliance requirements around the collection and storage of data? It would appear, at least, on the surface that they are unlikely to be targeted at the moment, so perhaps it’s not a concern. Certainly, larger, more well-known companies seem to be bearing the brunt of the new regulations as shown above, but those of us who were involved in ensuring compliance will be conscious that the focus could shift at any moment.

What else has happened since the GDPR’s implementation?

• In the first month of the GDPR, there were over 10,000 complaints, this number grew to 60,000 over the next six months.
• Most complaints regarding the GDPR have been against telemarketing, promotional emails, and video surveillance.
• Google was fined €50,000,000 in France for lack of consent on ads in January of this year. The regulator said that people were “not sufficiently informed” about how Google collected data to personalise advertising.
• In May 2018, the GDPR was at the top of Google Trends, it was higher than any American celebrities!

When the threat of vast fines was bandied about in the early stages of discussions around the GDPR, people took notice. However, now that the buzz has died down, how important is it really? Should you still be managing this carefully, or can it take a backseat? Naturally, other priorities take precedence in a smaller business and unless you have someone, or a team of people to manage data compliance I imagine this is a long way down your list, especially given that there is little or no news of smaller businesses being held to account for errors or data breaches. Here at WDL, I can tell you that we have had 0 data breaches and no one has asked for their data to be removed from our files and systems since the implementation of the GDPR. We do remain vigilant though and know that the management of data requires ongoing attention.

It’s easy to let it slip, and brush it under the carpet but the advice is that we should be keeping data protection in the front of our minds and should continue to do so as it’s not going to change, especially given that the influence of the GDPR doesn’t only affect us here in Europe anymore – it is being felt across the globe. Countries in Africa and across South East Asia are introducing data protection laws, in particular, those wanting to do business with Europe. The Indian government are talking about it, as is South Korea, and new laws which are coming into effect in Brazil and California have also been influenced by the GDPR.

What should you continue to do?

• Curate your data. Make sure that you know where all of the data is and how it is stored.
• Create a culture of ‘privacy-awareness’. Include it in employee training and communicate it across your business.
• Be transparent and accountable.
• Demonstrate a commitment to protecting data.
• Keep up with guidance.

The biggest driving force of the GDPR being implemented globally stems from data subject rights, data breaches and accountability requirements. More and more countries are implementing regulations to help with data exchange around the world and the expectation is that the GDPR rules will continue to be adopted in many new countries over the coming years.

Ultimately, the biggest thing I think we’ve all learnt is that the impact of the GDPR has definitely changed attitudes towards data privacy and its global reach means it’s not going away!