The General Data Protection Regulation (GDPR) came into force on 25th May 2018. Now over a year since its introduction, has it changed data protection practice?
Although not an exact science, various surveys and reports have tended to indicate an increased awareness in data subjects of their rights, as well as an increase in breach reports and subject access requests.
These findings appear to be borne out by the Information Commissioner's (ICO) recently published annual report, which highlights an increase in activity in almost every category reported on. Some key findings include:
This increase in breach reports is not particularly surprising given the duty to report under the GDPR, but it appears to demonstrate that the breach reporting duty is being taken seriously, and is also potentially an indication of the level of data protection issues which may have been occurring unreported in the past.
Data controllers are likely to be particularly concerned about fines, given the increase in the level of fines which can be levied by regulators. The ICO recently imposed the two largest fines so far: £99 million on Marriott hotels and £183 million on British Airways. These fines are far larger than any other imposed in Europe following the introduction of the GDPR, and indicate that the ICO is fully prepared to impose significant penalties. However, the good news for data controllers is that fines remain very much the exception rather than the rule. Of the breach reports dealt with by the ICO in 2018/19, less than 1% led to action beyond requiring the controller to take further steps to address the issue, and a monetary penalty was imposed in only 0.05% of cases.
This information indicates that individuals appear to have a greater awareness of their rights, how to exercise them and how to complain to the ICO if they believe these rights have been infringed. Although fines are still relatively rare, this knowledge and willingness to enforce should give greater incentive for organisations to comply with data protection principles given the risk of enforcement action and reputational damage which might result.