The General Data Protection Regulations – 3 years on.

Author: Aaron Green LLB CIPD, Operations Manager.

The General Data Protection Regulations (2018) celebrated it’s 3rd birthday last month, but how successful has this piece of legislation that was designed with individual choice and control at the heart of it really been?  

GDPR came in to effect on 25 May 2018 and affected very company that processed or controlled personal data (basically every company).  

After a 2-year implementation period, it became a last-minute scramble for compliance on the eve of the legislation coming in to effect – with worries of business ending fines scaring companies in to compliance. Under the new GDPR structure, fines of up to €20million or 4% of global turnover could be issued and this was a massive step change from the Data Protection Act 1998. For example, Facebook, fined under DPA (1998) received a £500,000 fine for its role in the Cambridge Analytica scandal – had this been under GDPR (2018) the fine could have been £10.3billion. 

The dawn of the new era entered with more of a whimper than a bang with the first of the fines for non-compliance not being issued until June 2019 where Smart Home Protection became the first company to be fined under the new GDPR regime. They were fined £90,000 for nuisance calls. The ICO demonstrated it would not be averse to threatening big fines, with an intent to fine BA £183million, but this was reduced to £20million once the actual fine was issued in 2020. 

The Information Commissioners Office (ICO) who regulate data protection in the UK gave clear guidance on where they would use guidance, rectification and education to improve and promote privacy principles and where they would move to enforcement action and fines. Fines were reserved for the most serious of breaches involving negligence, intent or repeated breaches causing damage to individuals.  

As of June 2021, the ICO has taken enforcement action or issued fines on 61 occasions – the majority of these being fines for breaches of marketing principles. The ICO did bare its teeth in 2020 making the UK the country that issued the 2nd largest value of fines behind Italy, but remained the country with the 6th smallest number of fines issued, thus sticking to its principles of hitting hard where needed but advising where possible.  

In the last 3 years, the landscape in the UK (and the world) has changed. Brexit has had an impact with GDPR now being enshrined in to UK law under the Data Protection Act 2018 and the UK now being able to diverge from European privacy principles if desired.  

Covid-19 has obviously had an impact on data protection, with companies struggling to survive and not having the time or budget to focus on data protection – this has invariably led to a relaxation of compliance at the same time that the digital threat has increased, particularly from phishing emails. Added to this the requirement under contact tracing for hospitality venues to record visitor’s details in the event of a Covid-19 outbreak, with a lack of guidance on how to do this whilst maintaining privacy principles, which has led to varied degrees of GDPR compliance, has increased the risk to our personal data – at a time where data has never been so valuable.  

So, has the first 3 years of GDPR been a success despite the rocky road of data compliance?  

GDPR has certainly increased the focus that companies give to personal data – the fear of prosecution and fines has improved training and awareness across industries – but there is still no gold standard or formal qualification or accreditation to demonstrate compliance with privacy policies leading to a massive rise in GDPR compliance consultancies.  

As individuals, we have more choice over our data. Companies are falling over themselves to give data consent choices – Apples latest iOS for example, gives users control over what data their apps can track and Facebook, desperate to overcome the bad PR from their fine, gives unprecedented data control. Indeed, it is the PR fall-out rather than the fines that seems to be the driving force for corporate compliance. GDPR is still new enough that the fines hit the headlines and it has entered the psyche of consumers to chose companies that protect their data.  

So, as we (hopefully) exit the Brexit turmoil and the Covid-19 pandemic, what will be next for the ICO? 

This year’s focus will include children’s privacy, particularly with the Age Appropriate Design Code coming in to force this year. Ad-Tech and Real Time Bidding (where advertising is bought and sold on a per-impression basis) continues to be a focus with ICO announcing in January that they were recommencing their investigation paused due to Covid-19. The Privacy Shield and Schrems II will no doubt also be up for review, particularly in the light of US/UK trade talks and the UK’s divergence from EU law.  

This year also sees a new Information Commissioner appointed in October, who will no doubt have their own priorities to protect individual’s data.