GDPR UPDATE: Testing the boundaries

Seven months since the implementation of GDPR, what exactly has changed in the data protection landscape, and how are regulators going about the process of upholding the requirements? Martin Allen-Smith investigates

The launch of the new rules on data protection received enormous media attention ahead of the 25th May compliance deadline last year. The prevailing view at the time was that a great many businesses were unlikely to be ready in time, raising the prospect of a slew of fines and sanctions from regulators.

While many view the General Data Protection Regulation (GDPR) as an exercise in box ticking, in reality it is much more. How firms act with personal data goes right to the very core of trust in business, with GDPR modernising laws that protect the personal information of individuals. Research carried out last year for the CBI found that the way a company deals with data is the top concern for potential customers and business partners, due in large part to public trust in how businesses use data being rocked by high-profile scandals. The Ipsos Mori study highlighted that seven in ten consumers do not believe companies have their best interests at heart when using their personal data.

So, given the widespread confusion ahead of the new rules over what exactly was required, what does the GDPR landscape look like now, a little over half a year on from the implementation of the new data regime? Data breaches have certainly not been eradicated – including large scale, high-profile incidents such as the Marriott Hotel Group data breach late last year, which saw up to 500 million customers details potentially compromised in a cyber attack – but the Information Commissioner’s Office (ICO) has revealed some early trends, with data breach notifications doubling in the first months of GDPR.

In a speech at the CBI Cyber Security Conference in September, ICO deputy commissioner James Dipple-Johnstone said that it was receiving around 500 calls a week to its breach reporting hotline since the GDPR was enforced in May. However, around a third of the calls to the ICO hotline do not meet the GDPR reporting threshold. The ICO says that it will now discourage the practice of over reporting, and plans to issue further guidance on this particular element soon.

According to the ICO, some companies are struggling with the concept of breach notification as defined by the GDPR, which requires organisations to report a breach within 72 hours. It also says that some breach notification reports were “incomplete”, despite guidance that sets out what information is required. While some organisations often tended to leave out crucial details in their reports, others go the other way and write exhaustive and over-inflated reports that are full of unnecessary detail. Either way, this lack of understanding about the requirements serves to slow down the reporting process and creates more work for the ICO. This will almost certainly be something that will need to be refined.

In addition to the Marriott case, there were two other major incidents which act as something of a test to the robustness of the GDPR system. A cyber attack in late July compromised the data of 380,000 British Airways customers, while in late September Facebook revealed that almost 50 million users may have had their personal data stolen. While BA was quick to notify affected customers, Facebook held off notifying individuals pending an internal investigation.

More widely, there still appears to be much more work to do. A report published in December by cyber risk consultancy IT Governance suggests that only 29 per cent of EU firms have fully implemented the requirements contained within GDPR. The same survey of 200 firms across a range of industries suggests that 60 per cent of respondents were aware of the fact that they must respond to data subject access requests.

In addition, 75 per cent said they had conducted at least some parts of a data flow audit, used to gain insight to data risks. As far as security is concerned, 61 per cent said they had “basic controls” in place to contend with data breaches, with half stating they have plans in place to notify supervisors in the event of such breaches.

“It is discouraging to see so many organisations understanding the GDPR and its applicability to their businesses but failing to comply,” says Alan Calder, founder and executive chairman of IT Governance. “May 25th should have been the wake-up call, but it’s not too late to begin your compliance journey.”

It could well be the threat – potentially soon becoming the reality – of hefty fines that help focus minds on the priorities of GDPR. The BA and Facebook examples could result in large penalties being levied under the rules; the maximum fine being €20 million or four per cent of the total annual worldwide turnover in the preceding financial year, whichever is higher.

The ICO has previously shown its mettle when it comes to penalising companies that break the rules. It has recently fined both Equifax and Facebook £500,000 each for serious breaches of data protection law. The fines were the largest possible under pre-GDPR legislation and would “inevitably have been significantly higher” under the GDPR, according to the ICO.

As yet the ICO has not issued any fines for breaches under the new regime. However, it has sought to reassure companies that it aims to be fair. Recent large fines are said to reflect failings in the respective organisations’ own controls and culture. However, companies that take appropriate steps to protect personal data and prepare for a data breach, have little to fear, according to Dipple-Johnstone. “If you take your responsibilities under the GDPR seriously, and have taken reasonable steps to protect that data in line with our security guidance, then we will recognise that,” he advises. “If you adopt privacy by design, treat cyber security as a boardroom issue, and demonstrate a robust culture with appropriate transparency, control and accountability for your and your customers’ data, then we will not usually have an issue with you should the worst happen.”

Erica Constance, cyber portfolio manager for insurer QBE, says the ICO warnings over the need to take data protection seriously demands a careful balance of priorities. “While early days for the GDPR, the UK regulator is taking the issue of privacy and data security seriously,” she warns. “The two known breaches under the GDPR – BA and Facebook – highlight the challenges of assessing whether to report a data breach, given the heated environment and potential for reputational damage. Seventy-two hours is very little time to get a handle on a complex cyber attack, while notifying individuals in the absence of detailed information could do more harm than good.”

Time to market

Alongside breach reporting, organisations have often been labouring under false pretences about data permission requirements. There was much press coverage about how the GDPR would impact marketing operations, and the common consensus was often that organisations would need to obtain permission for all their contacts or else delete their databases, which is not true in most cases. For example, it is perfectly acceptable to contact an existing customer with something that is legitimately likely to be of interest, if they are given a clear and easy path to unsubscribing.

So what’s next for GDPR? After six months under the new regime, the level of published regulatory enforcement has been relatively low. Data breaches continue to receive significant press coverage, but many pre date GDPR and will be enforced under previous regimes, so it is too soon to get an accurate picture of the types of enforcement that may dominate in the long-term. The threats of fines of up to four per cent of global turnover have grabbed many headlines, but in practice regulators may be reluctant to impose such large fines as they will undoubtedly be met with significant challenge from the recipient, leading to long, drawn-out procedures which may reduce the regulators’ abilities to uphold the regulation in other areas due to capacity constraints. It could represent a fine balance for regulators to achieve between the frequency and scale of enforcement action.

Many organisations are seemingly still running through a backlog of activity required for compliance even at this stage, months after the GDPR entered into law. The ICO seems relaxed about giving these latecomers a little more time to catch up, but with half a year already passed, it seems unlikely that there will be much more leeway. It could be that there will be a significant increase in the number of fines and disciplinary action taken by the ICO over the next six months or so if organisations fail to properly embrace the spirit of the GDPR changes.


This article was published in the January 2019 issue of CIR Magazine.

Download as PDF

More interviews and analysis


Contact the editor


Follow us on Twitter

    Share Story:

Recent Stories


Your people and the pandemic: Are you doing enough?
Employee health, well-being and security have always been a vital part of risk management, and as organisations seek ways to ensure a smooth, successful and sustainable return to operations amid the evolving environment, careful consideration has to be given to all these areas, and quickly. Published August 2020

Responding to COVID-19: A safe and secure return to work
Learn more from the experts that worked on the recovery of the Diamond Princess. Published July 2020