It has been two years since the deadline for compliance with GDPR landed. We had spent many years waiting for it to arrive, seen periods where it seemed to fall away, and in 2016 it was suddenly resurrected. Now with two years of compliance culture behind us, what have we learned so far?
No business is exempt from an intent to fine: It was July 2019, just after the first GDPR anniversary, when we got the news the Information Commissioner’s Office (ICO) was had issued an intent to fine British Airways £183m, after around 500,000 user details were stolen in a Magecart attack.
The first intent to fine was followed soon after: Only a matter of hours after the first intent to fine was issued, the second was hand out to Marriott International. This £99m fine was in relation to the exposure of approximately 339 million guest records in November 2018.
The first actual fine was announced in December: The ICO fined Doorstop Dispensaree Ltd, a supplier of medicines to customers and care homes, after it left approximately 500,000 documents in unlocked containers at the back of its premises in Edgware in North London. The fine amounted to £275,000.
Those Marriott and BA fines: As a result of legal proceedings, and the COVID-19 pandemic, the change from intent to actual fine is expected to take over a year, and Cordery expects the fines to be finalized in August-September 2020.
There were fines in Europe though: We’ve seen plenty of fines issued across Europe, including £44m for Google from the French data protection regulator, and by the German data protection regulator – €10m to the ISP 1&1.
Not all fines have been paid: According to Freedom of Information Act requests, the ICO has fined 152 organizations a total of £16.6m since 2015, and some 30% are still unpaid, amounting to over £7m, or 42%, of the total. This does account for penalties issued prior to GDPR.
New regulations have followed since May 2018: The California Consumer Privacy Act (CCPA) was introduced in January of this year, while the revised Payment Services Directive (PSD2) went into full effect on September 14 2019.
An increase in the number of DPO appointments: The appointment of a data protection officer is a requirement of the GDPR for businesses of a certain size. According to the ICO, there are 64,383 companies with a DPO registered with the regular, whilst in an Infosecurity Twitter poll of 77 votes, 71.4% of respondents said their company had appointed a DPO.
Compliance remains a popular trend: In our second State of Cybersecurity Report, published in June 2019, compliance was the third most cited trend. However, the general feeling was that, whilst GDPR had improved data protection practices and better enabled forensics and incident response, meeting compliance had left to stress among practitioners, and that GDPR had not lived up to expectation.
Finally, those ICO jackets seem to be in storage: The dawn raid took place in March 2018 upon the offices of Facebook, in light of the Cambridge Analytica revelations. Operatives wore ICO branded jackets, but we’re yet to see them out of the wardrobe since.