On 25 May 2018, the General Data Protection Regulation (GDPR) began to be enforced across the EU. More than a year on, are companies still complying with its rigorous standards?
Despite having a year to prepare for its introduction, many businesses did not adapt their practices to comply with the GDPR until the week before its enforcement. The GDPR plays a vital part in how we deal with data. However, although most businesses put the effort in straight away, they may not be sticking to its rules.
What does the GDPR do?
There were a lot of elements to the GDPR, bringing the rules behind the handling of data in line with the demands of today's digital society. The regulation covers a huge range of issues, but below are a few main areas where the regulation is focused:
Giving people control over their data
If your company holds someone's personal data, the GDPR ensures that ultimately, they have control over it. To get hold of someone's data, they must now give explicit (not implied) consent, and must be fully aware of what you intend to use it for. If they request a copy of the data you hold on them, you must provide this for free and report how you use it. The 'right to be forgotten' element of the regulation means that if your customer decides they no longer want you to hold their data, you must completely erase it at their request.
Holding organisations responsible
The GDPR also ensures that businesses which experience issues with data protection are held responsible. If you were to experience a security breach, you have 72 hours to report it to both your customers and the relevant authorities. Not complying with this time limit can lead to hefty fines, which we'll discuss later.
Depending on the size of an organisation and the type of data they handle, they may have been required to appoint a data protection officer, to monitor data in line with the requirements of GDPR.
Secure from the get-go
Another key area that the GDPR aims to address is ensuring security through prevention. It sets out rules for how to design digital systems so they ensure sufficient levels of privacy from the start. If your organisation fails to set up its systems to securely implement data collection, you may receive a fine.
Staying compliant
In an ideal world, every business which handled personal data would be complying with GDPR in its entirety, and to the letter. However, in reality, the GDPR prompted significant changes for many businesses.
Until the GDPR was introduced, data collection rules were far more relaxed, as they either didn't exist or didn't apply to the data we handle today. For example, a website could gather and store as much information as it liked using cookies, and only 'implied consent' was required from the user. The only requirement for this was that a notice was displayed stating that 'by browsing this website you consent to the use of cookies'.
Due to the degree of change required for a lot of organisations, you might not be surprised to hear that according to data from July 2019, only 57% of businesses are confident that they follow the rules set by the GDPR. RSM reports that the reason for non-compliance is not down to a single issue, but appears to be due to a lack of understanding of the intricacies of the regulations. 30% of the businesses polled reported that they were not confident in their compliance.
The lack of compliance may be caused by a perceived lack of action by the Information Commissioner's Office (ICO), the regulatory body in the UK which enforces the GDPR. As more than a year passed between the enforcement of the GDPR and when the first enforcement action was taken, changing internal business practices may have fallen in priority throughout the year.
The consequences of falling behind
Despite the delay in issuing fines, some large corporations have seen the consequences of the GDPR. One of these was British Airways, who received a £139.39 million fine after a fraudulent phishing site compromised the personal data of around 500,000 customers. Although British Airways disclosed the incident within the 72 hours of its discovery, the fine was still incurred due to the reported poor security arrangement the airline had in place.
The Marriott hotel chain was also subject to a hefty fine of more than £99 million following a data breach which exposed approximately 339 million guest records. Both of these companies have needed to work with the ICO to improve their cybersecurity measures along with paying the fines.
It's clear that the ICO are taking the enforcement of the GDPR seriously, but it's worth thinking about why the penalties are so large. If your company is smaller, there's no risk of you exposing millions of customer records – you don't have millions of customers – but think about the impact on your business if your small customer pool did experience a data breach.
The GDPR is intended to ultimately protect users and customers from data breaches. If your business is GDPR-compliant, your customers will feel able to trust you with their personal data, building rapport and making them feel confident in their decision to provide it. While complying with the regulation could take a significant amount of work for an existing or new company, the rules are there for a reason. And while the UK might be leaving the EU, this doesn't mean you don't need to comply with the GDPR.
Here at ViserHost, you can rely on our secure server infrastructure to store and protect your data, and be safe in the knowledge that your hosting provider is GDPR-compliant. Find out more about our hosting products on our website.