A year ago, the deadline for GDPR compliance was bearing down heavily upon us, as data protection regulators gained mighty new powers and drew their plans to protect us.
Therefore, at midnight on May 25, we moved into a new world where we were scrutinized closer than ever before. Tomorrow will mark a year since the GDPR became law and data protection regulators were given the power to issue larger monetary penalties than ever before and demand breach notifications within 72 hours. What's more, companies were forced to comply with rules around subject access requests and the Right to be Forgotten.
However, one year on, it could be argued that the GDPR has not really delivered on expectations. To release one line from our upcoming second State of Cybersecurity Report, while “excitement about regulation has died down a little,” regulatory controls will remain a driver in the EU and beyond, although a lack of very high-profile “slaps on the wrist” have not helped.
Infosecurity spoke with Mishcon de Reya LLP data protection advisor Jon Baines and MDR Cyber cybersecurity lead Joe Hancock this week, asking the pair if they felt that GDPR had delivered on expectations. Baines said that much of the change that was promised in the build up to GDPR has not come into fruition, and “as cynical as I was about what change it would affect, you cannot deny the fact that a huge amount of money and time and resource was thrown at it.”
Baines added that this meant that a lot of people were putting money into compliance, information management and information governance “which needed doing,” so while a lot changed behind the scenes, in terms of one year of GDPR, not much has changed yet.
Hancock said that the cost factor was one to consider, as while spending on compliance increased, spending on security decreased “and we’ve created a much better data protection landscape and made security worse as I don’t think anyone was spending 10% of budget on security.”
One of the main takeaways Infosecurity took from attending a recent roundtable was that GDPR compliance was seen as a “point in time” compliance effort, whereby if you were compliant on May 25 last year, you would be OK permanently. Baines said that many people would have thought that was a finish line, “when in fact it was a starting point.” He argued that among his client work, there was a huge ramping up and then tailing off, and now it is building up again as people exercise their rights and deal with what breaches mean.
The fines, and the amount that the regulators could issue, was a large talking point a year ago, and yet we have not seen a ‘4% of global turnover’ monetary penalty, and the only serious fine was issued in January by the French regulator to Google, and Baines said that while nothing has been done and no issue of intent has been seen, he did suspect something “was waiting in the wings.”
Baines said: “ICO has always had power, but now it has power to take on an infringing controller, and tell them to stop what they are doing, and some of those enforcement notices are coming which are of the ‘business destroying mode.’ There are different ways of harming a business: one is to fine them €20 or 4% of their global annual turnover, but another and quicker way is to say ‘stop what you are doing and if you continue you’re acting unlawfully.’”
A year ago, our first State of Cybersecurity Report featured compliance as the number one driver for cybersecurity, while FUD and mis-selling also featured in the top five. Hancock said that there was so much hype in the lead up to last year, citing “GDPR compliant USB sticks” as the levels that some companies would go to.
Looking back at the year, and forward to potential outcomes, Baines said that GDPR has focused a lot of minds on what the rights mean, and “it has taken maybe a year for some of the clouds of hype to clear away and for more interesting stuff to start to emerge.”
It may be the case that future fines may come from the breach incidents that have occurred since May 25 last year, as to date the likes of the Cambridge Analytica case occurred before the deadline, hence a £500,000 fine for Facebook last October. In 12 months time we may be having a very different conversation about two years of GDPR, but for the first year we see a cybersecurity industry reflecting on what could have been.