The GDPR (General Data Protection Regulation) came into play on 25th May 2018, replacing the former DPA (Data Protection Act) to enhance the data privacy of citizens in the European Union. The Regulation applies to all EU companies, and those that provide good and services to, or monitors the sensitive information of, EU citizens. Along with new regulations on how businesses should protect data, the GDPR brought bigger penalties for businesses that did not comply with its guidelines. However, it hasn’t been a year of smooth sailing. Here we take a look at the GDPR one year on.
UK GDPR breaches
This new regulation was designed to minimise data breaches to offer greater protection to EU consumers. Research shows that complaints reporting online data breaches increased by 60% in the six weeks following the new regulation, but what has been the pattern of data breaches since the GDPR has been in play?
It was a year until the Information Commissioner’s Office (ICO) issued fines for the first UK data breach under the new regulation. The offender was British Airways, fined for a breach of consumer data. According to the ICO report, this breach occurred as a result of “poor security arrangements”. Just one day later, Marriott was accused of failing to protect customer data after hackers accessed nearly 340 guest records. The ICO proposed a fine of £99m in this case.
Elsewhere in Europe, French regulators pursued Google in a high-profile case for a lack of transparency and lack of valid consent around certain topics. After a formal investigation, the search engine giant was found guilty of these accusations. Germany has also pursued over 60 companies, ranging from banks to medical firms and a fire department.
Austria, Portugal and Malta are among other European countries to have issued fines for companies’ failures to comply with the GDPR.
The financial penalties were some of the most-talked-about changes when the GDPR came into force. While the maximum possible fine is much higher than was permitted under the Data Protection Act, fines haven’t yet reached the heights of 4% of global annual turnover that had so many businesses running scared pre-GDPR.
The British Airways data breach has been the biggest fine to date, more than double that of Google’s fine of €50m, set by the French regulator. The UK airline was proposed a fine of £183m.
While it’s unclear whether or not these fines will increase as data protection authorities establish a more concrete framework for the calculation of fines, one thing is apparent from the past year: businesses that cooperate with the data protection authority in question, and show a desire to resolve the problem, could reduce the final fine amount.
What can businesses learn?
It’s apparent that businesses should act quickly if they do suspect a data breach. GDPR requirements stipulate that businesses should report a suspected breach within 72 hours of occurrence. However, acting as soon as possible, advising those affected and seeking a resolution could work in the businesses’ favour when it comes to the size of the penalty.
Arguably the most important step for businesses is to educate themselves on the key requirements under the GDPR. Statistics show that 39% of SME owners don’t understand who the GDPR and 90% of SME owners don’t know the new rights that GDPR gives to consumers. Improving knowledge of such facts means businesses take active steps to ensure GDPR compliance in all areas of operations.
With over 25 years industry experience, tier1 are proud to be the UK’s most accredited ITAD supplier. We possess the skills, accreditations and experience to handle our clients’ data with the care they deserve, and to ensure they are fully GDPR-compliant.
Contact us today on 0161 777 1000 or visit https://www.tier1.com to find out how we can help you dispose of your data safely and reliably.