Back in May, the anniversary of a huge event passed by with amazingly little fanfare, which is somewhat surprising. This is considering the pre-launch hype and how, with time, its name and its legacy has become monumental around the world.
I wouldn’t blame you if you were struggling to think of one single thing that ever happens in May. No, I am not talking about a celebrity’s birthday or even the launch of the original Star Wars movie in 1977. So, what anniversary am I alluding to?
Well, very simply, the event in question was the launch of the EU regulation called the General Data Protection Regulation (GDPR). Years in the making, it finally became law across Europe on 25th May 2018 and has revolutionised the concept of data protection across the globe. Today, far more people than ever know about data protection and that they have rights in relation to what their data is used for, and that is all thanks to the GDPR.
Our regulator in the UK, the Information Commissioner’s Office (ICO), has seen a considerable increase in public engagement and awareness of data privacy. The ICO’s website has seen a 32% increase in the number of users accessing its website and an increase of 66% contacting its helpline and written advice services.
In the report, ‘GDPR – One Year On’, published on 30th May, the ICO say they have received 14,000 reports of personal data breaches, a 400% rise under the GDPR compared to the old regime. A high proportion of these cases required no further action from the organisation. However, the ICO views over-reporting of data breaches as a positive demonstration that businesses are taking GDPR seriously and are being proactive.
Over the last year Atalian Servest employees, myself included, have invested a vast amount of time and effort to deal with breaches and requests from individuals to see their personal data (Subject Access Requests in GDPR parlance). Few exemptions apply, although data may be redacted or deleted from some documents if, for example, they contain third-party data, but otherwise we must be “purpose blind”. What that means in practice is while there may be a clear motivation behind a request, especially where there is a dispute between the organisation holding the data and an individual, including an employer and employee, we cannot refuse to disclose the personal data.
Why does all this matter so much? Well, it must be remembered that with very few exceptions (limited to things about state security, crime etc.) an organisation that collects, holds and processes personal data about an individual does not own that data. It always belongs to the individual for as long as he or she is alive and kicking (all data protection rights die with an individual). So, organisations must respect an individual’s personal data and only use it fairly and lawfully, including only collecting data that is necessary for stated purposes and keeping it for a limited period.
To illustrate how seriously the EU regards data protection, the GDPR includes fines for failing to adhere to the rules at a level that caught everyone’s attention and dominated the headlines. There are two simple scales, based on the level of infringement; either up to €10m or 2% of annual turnover or up to €20m or 4% of annual turnover. To date, the largest fine issued by a European data protection regulator (France’s CNIL) is €50m fine against Google (subject to appeal). As of July 2019, the ICO have issued a notice of its intention to fine both British Airways and Marriot International after extensive investigations. These GDPR infringements are likely to see a fine of £183.39M for British Airways and more than £99M for Marriot International.
For the GDPR, a piece of legislation that may, like its predecessor the Data Protection Act 1998, last for 20 years, it is early days. Beyond raising awareness of data protection in the UK and Europe, the GDPR’s impact across the world is evident. From the California Consumer Privacy Act, which comes into effect on 1st January 2020 to Brazil’s LGPD that is expected to become applicable in August 2020; there is also draft legislation in progress from India to Argentina.
While I doubt anybody is ever likely to sit in a comfy chair with a bag of popcorn and read a freshly printed copy of the General Data Protection Regulation, it is undoubtedly of paramount importance to every business. With global importance and a vast, and growing base of people who are beginning to understand and recognise the importance of it, it may one day become even more famous than Star Wars itself.
Andreas Loizides (Data Protection Officer)