This month marks the two-year anniversary of the General Data Protection Regulation (GDPR). At the time of its introduction, GDPR was considered a revolutionary development in the legislation that safeguards personal information and was rolled out to reflect the growing importance of data protection in the modern world.
This meant businesses contravening the GDPR could now be fined up to €20m or up to 4% of their annual worldwide turnover for the preceding financial year, whichever is greater.
Two years on, rather than celebrating GDPR’s anniversary, the EU is instead having to answer complaints lodged by Brave, a maker of a pro-privacy browser. Brave claims that “European governments have failed to equip their national regulators to enforce the GDPR,” leaving regulators woefully under-resourced. Its report revealed that only five of Europe’s 28 national enforcers of the GDPR have more than 10 tech specialists each and half of EU GDPR enforcers have small budgets (under €5m). For example, the UK Government’s privacy watchdog is Europe’s largest and most expensive to run, yet only 3% of its 680 staff is focused on tech privacy problems.
This explains why, despite numerous data breaches between now and the introduction of the GDPR, only a handful of companies have received punishment. The biggest penalties in the UK have only been issued as intentions to fine, both of which are under appeal, for British Airways (£183m) and Marriott (£99m). British Airways is, however, also facing a potential compensation pay-out estimated to be up to as much as £3bn.
So, what does the apparent underfunding mean for businesses and consumers, and what might the future have in store for the GDPR as a result? Infosecurity spoke to Aman Johal, lawyer and director of leading consumer action and data breach compensation at law firm Your Lawyers, to find out.
What are your thoughts on the reported under-resourcing of GDPR enforcement?
We knew the GDPR meant that the reporting of issues and the management of data protection responsibilities would significantly expand. Its introduction has shown just how vulnerable a lot of organizations and their employees are, and it has been difficult for many to adapt to the new GDPR world. As such, it hasn’t been surprising to see such a significant number of breaches.
The combination of increased reporting of matters which may have previously gone unreported, and the issue of over-reporting given the severe financial threat a fine carries, may have overburdened the system. There are always delays during a transitional phase of implementing such a huge change in legislation, which we’ve seen plenty of times in the past. Additionally, it’s clear that many organizations aren’t taking the GDPR seriously given the number of severe breaches that have taken place since May 2018. The solution? Properly resourced regulators.
“It’s no good having rules and laws in place if regulators do not have the resources to enforce them”
What impact does the lack of funding have on businesses and consumers?
We often say that organizations must invest in their data protection and cybersecurity efforts. This is the only way they can keep the data they store and process safe. As such, when it comes to the regulators who must ensure that the law is applied and punishments are enforced, they too must have the resources required to achieve this.
It’s no good having rules and laws in place if regulators do not have the resources to enforce them. It makes a farce of the rules and removes the threat that should be there as a deterrent for organization’s to ensure they don’t fall foul of the law. A continued lack of funding of data protection watchdogs could mean that we will continue to see organization’s fail to take the required steps to properly protect data. As a result, avoidable breaches may occur and sensitive consumer data could be exposed to ruthless cyber-criminals.
What must be done to improve GDPR implementation?
Swifter enforcement of regulatory powers may be the catalyst that organizations need to start taking data protection far more seriously and properly invest in their infrastructure and human resources. The GDPR alone should have been enough, but it’s clear that it hasn’t been an effective enough deterrent, given the number of breaches that have taken place.
The swift execution of severe penalties should send a clear message to all that any breaches of the law will, in no uncertain terms, be appropriately punished. The intentions to fine British Airways and Marriott millions of pounds were big news but, in both cases, they appear to be appealing the fines and this has, perhaps, lessened the impact these first ‘statement fines’ could have had, especially given that we are now almost a year on and there’s still no final outcome.
We understand that the coronavirus pandemic has put these fines on the backburner, so it’s unfortunate that they could not have been resolved with a final outcome more quickly. That would have sent a clear message that fines will be quickly executed and any appeals swiftly resolved. Outcome-focused action should be the tagline that everyone associates with the GDPR.
“Swifter enforcement of regulatory powers may be the catalyst that organization’s need to start taking data protection far more seriously”
What will the next year have in store with regards to future of data protection regulation?
Unless there is more swift and effective application of the punishments that can now be enforced, we may see little to no difference at all. We may end up sleepwalking into a period where the GDPR fails to have the impact that it could, and should, have. It should have been the catalyst for change, but the raft of big breaches to date suggest that it hasn’t. A clear message needs to be understood by all that you either comply with the law or you face punishments – no ifs, no buts.
However, everything has changed given the coronavirus pandemic which has, of course, not helped. We fully understand why regulators may be forced to take a more relaxed and lenient approach to data protection given the disruption caused by the virus outbreak, and the lasting effects of this could take years to settle. Until the pandemic has reached that stage and the data protection fallout from it can be properly assessed, it’s hard to know for sure what the immediate future holds for data protection. The issues that the pandemic has caused are at odds with the need for swift and effective enforcement, so we’ll need to tread these uncertain waters before anything else.