GDPR: What’s happened since 2018?
As we approach the second anniversary of the GDPR, the experts at Cheeky Munkey look at its impact on businesses since its implementation.
It’s been almost two years since the General Data Protection Regulation (GDPR) was introduced in 2018. So many major technology stories have dominated the news headlines since then that even now it’s easy to forget just what a seismic shift it represented at the time. The deadline of 25 May loomed large for months on end as businesses scrambled to bring their data handling practices in line with the new rules. Permission-seeking emails flooded customers’ inboxes and nobody was quite sure what data handling would look like after it had passed.
Of course, following that date the sense of widespread panic quickly subsided and the GDPR became the new normal. Most of us have got used to it as an ever-present watchful eye that it’s hard to remember a time when businesses could email former customers out of the blue or keep hold of outdated data ‘just in case’.
In the thick of the 2018 transition, business owners were so wrapped up in ensuring compliance that it was easy to forget just why these changes were taking place. Data subjects and data handlers had fallen so far out of love by the time the GDPR came around that a kind of stalemate was developing. Customers were suspicious of handing over any information and companies were despairing as they found themselves in increasingly bewildering territory.
The GDPR was intended to set things straight once and for all – wiping the slate clean, putting everyone on the same page and setting crystal-clear guidelines. It also aimed to impose much harsher penalties as an incentive not to breach the rules.
So as we approach the second anniversary of the big day, what exactly has happened since? Is data more secure now, and are companies getting more compliant?
Companies are spending more on IT
There are many reasons why your business might have upped its IT spending in the wake of the GDPR’s arrival. Perhaps under increasing scrutiny you’ve outsourced more of your day-to-day management to external experts who will keep things running smoothly. Or maybe your website needed redesigning in order to make it clearer to customers what data you collect from them.
A major factor in the spending increase is a sharp upturn in subject access requests (SARs) made to businesses – both from customers and from staff. Everyone has a right to know how their data is being used, and people have exercised this right in huge numbers since the GDPR came in. An SAR produces details of exactly what data a business holds about an individual, how it was obtained and how it is being used. Previously data subjects were required to pay a fee for SARs, but the administrative costs now fall on the businesses themselves.
Hefty fines have been paid out
According to recent figures on total reported GDPR fines since May 2018, well over £100 million has already been paid in fines by companies who have fallen foul of data protection laws. The fines have been issued in response to over 160,000 data breach notifications across all 31 nations that come under the GDPR rules. The biggest share of overall fines has been paid in France and Germany; in the UK, the total stands at £274,000.
Companies of all sizes have been affected, including major organisations like British Airways, whose £183 million fine isn’t counted in the above figure because it hasn’t been finalised yet. With high-profile fines such as these and others included, the real Europe-wide figure could be closer to £300 million or more.
Data protection rules continue to confuse
While simple in principle, the rules of the GDPR have proved more confusing in practice. A survey by Which? in May 2019 (one year after the regulations came in) revealed that many people were still not aware that their rights around personal data had changed. In addition, far from having allayed people’s fears about their data, the GDPR’s introduction had in fact sparked an increase in the number of people who were concerned about their privacy.
Fueling confusion further is inconsistency between law-enforcing authorities and the bodies that regulate data handling. The ICO and the law in the UK are not always on the same page when it comes to data. After the use of facial recognition technology by police in South Wales was upheld by courts, the ICO had to clarify that this did not amount to permission for forces everywhere to use it.
Small businesses are still vulnerable to data breaches
There is no doubt that the GDPR has brought about sweeping change and left many small businesses struggling to keep up with the pace of change in its wake. This means that among spiraling confusion, many businesses simply aren’t taking cyber security seriously enough.
The fact that the consequences of a data breach have become much more serious in the last two years – as demonstrated by the sizes of fines – doesn’t mean that the threat has diminished. Recent data shows that on average, a small business is hacked in a cyber attack every 19 seconds, and the likelihood of being attacked is 59%.
In order to be truly protected against threats from cyber criminals, a business needs to understand exactly what it is dealing with. Hackers aren’t necessarily looking to bring your company to its knees – they are simply seeking weak points in its IT infrastructure. Spots where confidential and compromising data can be leaked are often easy to overlook, and a scheme like the Cyber Essentials certificate can help your business to see where it’s most vulnerable. It can also highlight any areas of your business that aren’t currently compliant with the GDPR and bring them up to date.
Cheeky Munkey can not only ensure your business is protected with bespoke IT security services, it can create a specialised disaster recovery plan in case the worst happens. A detailed plan provided by IT experts will keep damage to a minimum and get your business back on its feet as soon as possible.