The first year: What can organisations learn from GDPR fines so far?

(Image credit: Image source: Shutterstock/Wright Studio)

Just over a year since its introduction, The EU’s General Data Protection Regulation (GDPR) is still making waves as the most significant transformation of privacy legislation in decades.

The business community and public sector had been made aware of the changes for some time, but as the deadline approached, customer email boxes were flooded with requests for retrospective permissions and headlines of huge fines were commonplace.

In the event, the world did not change overnight, and it was difficult to identify the immediate consequences. However, with the luxury of a year’s perspective we can see that individuals and regulators are flexing the muscles afforded to them with these new powers.

Revisiting the basics:

To recap, the GDPR strengthens user privacy in two main ways. First, it increases the obligations on organisations to protect user data. Second, it grants citizens major new powers over how their information is collected, used and stored.

For example, businesses must ensure that all reasonable steps are taken to secure data, train staff and disclose breaches. Businesses must also be clear and transparent to citizens about how they use personal data. Citizens can demand to see what data is held on them and can also request that this is deleted at any time.

Early evidence suggests citizens were taking advantage of the new regulations by demanding greater control over their personal information and complaining to the appropriate regulator if not. Elizabeth Denham, the UK’s Information Commissioner, says she has witnessed an upsurge in complaints and breach notices. Altogether the Information Commissioner’s Office saw complaints jump from 9,000 to 19,000 in the first six months of GDPR coming into force – and more than 8,000 breach reports submitted to the regulator.

Counting the costs

In the lead-up to GDPR, its powers were well publicised: including the ability to impose a fine of £20 million or 4 per cent of an organisation’s global turnover. We can now see that these warnings were not a case of ‘Project Fear’ and that regulators are dishing out severe penalties.

A €20,000 fine dished out in November 2018 to German chat site Knuddels for a data breach that saw email addresses and unencrypted passwords stolen was hardly the most draconian, but elsewhere figures were rising rapidly.

The Portuguese regulator had already applied GDPR principles to slap €400,000 penalty on a hospital in July 2018, after staff illegally accessed patient data using fake profiles. And in January 2019, the French data protection regulator CNIL handed the biggest fine to date to Google. The €50 million fine was given for Google’s lack of transparency in how it collected data for personalised advertising, and for not gaining sufficient consent for that information.

Specifically, the CNIL found that Google did not have a clear data location for its EU business and that consent it had obtained for data collected before GDPR did not apply after the regulations came into effect. The CNIL also said that the data collection settings for users who did not provide consent were not compliant with GDPR.

Lessons learned

So what can organisations learn from these and other fines so far?

1. Regulators are prepared to use their power

The most obvious lesson is that regulators are not afraid to use their new powers. The examples to date show that authorities are serious about enforcing the regulations and are more than willing to take advantage of the greater financial penalties they can issue.

For a multi-billion-pound organisation such as Google, the fine is far from fatal – but other businesses do not have the luxury of absorbing such a charge. Some organisations might have thought paying a fine is less costly than becoming compliant – they have been warned.

2. GDPR can have a serious impact on business operations

Any obligation to change practices could have a huge effect on how a data-intensive organisation operates. For instance, Google’s entire business model relies on the acquisition of data that can be used to personalise services and advertising.

Organisations need to ensure their data collection adheres to the new rules – if this isn’t possible they may need to change their business model.

The only alternative is the nuclear option – in 2017, Wetherspoons deleted its entire mailing list rather than go through the ordeal of compliance – but that is hardly a realistic option for most businesses.

3. Security isn’t optional

It’s not just data collection that is coming under scrutiny – security measures are too. Organisations must ensure all data is protected and encrypted where applicable, and have visibility over who can access what data and on what device. Data breaches are a common occurrence but taking every reasonable step to mitigate an incident can minimise the threat of a big fine.

4. Technologies can help

Unless organisations adapt to the new realities of data protection, the risk of severe financial or reputational damage will persist. In addition to security tools, organisations should appoint a data controller and implement an appropriate data retention strategy.

For example, modern public clouds have been designed with GDPR compliance in mind – meaning they can reduce compliance worries for organisations who aren’t certain of their own architecture. Similarly, intelligent use of Mobile Device Management (MDM) platforms can manage the flow of information across devices; meaning workers can still perform their jobs without risking compliance.

5. There’s still more to learn

With so many active complaints and investigations – not to mention major cyberattacks and the certainty that more breaches will happen over the GDPR’s lifetime – we should expect more fines to come, and that they will eventually break the current record. As organisations get to grips with new legislation, each new case will likely deliver a new lesson to be learned. As a result, organisations need to be ready to learn from these cases – and implement new best practices and processes to ensure they don’t become a lesson themselves.

Alex Guillen, Go To Market Manager, Insight UK
Image source: Shutterstock/Wright Studio