One Year On
By Robin Bingeman, Managing Director, Cryoserver
On May 25th, 2018, the EU rolled out a new set of data privacy laws under the General Data Protection Regulation – more commonly known by the acronym of GDPR. The aim of GDPR was to set a standardized level of data protection for individuals across the EU. The negotiations for this new legislation took more than four years, with regulations concerned with how businesses should handle, store and protect consumer data.
Regardless of Brexit, the ICO (Information Commissioner’s Office) and UK Government have stated that the UK will still have to comply with GDPR. In fact, any overseas businesses dealing with consumers and other businesses in the EU27 must be GDPR compliant.
In the lead up to the GDPR deadline, the ICO called for GDPR compliance rather than enforcement, but news headlines focused on the eye-watering fines – enough to scare any business into getting themselves in line with the regulations.
For companies in breach or found to be non-compliant, there are two tiers of administrative discretionary penalties that can be levied:
€10 million or 2% annual global turnover – whichever is higher; or
€20 million, or 4% annual global turnover – whichever is higher.
It is important to note that fines are imposed on a case-by-case basis. Now that we’re a year on from GDPR being rolled out, it’s time to look back and reflect on its impact.
What Have We Learnt One Year on From GDPR?
GDPR has reshaped the rules of data management and marketing, making the data and email compliance landscape much more complex. From collecting personal data via cookies so that information can be used for marketing purposes, to storing personal data, explicit consent must be given by the individual, and sometimes more than once.
Alongside this, individuals will have the right to submit a SAR (Subject Access Report) request to businesses. Under GDPR, employers must respond, “without undue delay and in any event within one month of receipt of the request.” This shortened the previous 40-day limit required under the DPA (Data Protection Act).
What’s interesting is that a recent survey had shown that three-quarters of UK organizations failed to address personal data requests within the 40 day period, with some businesses not even responding to consumer and employee requests at all. Alongside this, according to Corporate Counsel, there have been 59,000 data breaches reported in the EU since the introduction GDPR, including 10,600 breaches from the UK.
Despite the warnings presented in the lead up to the introduction of GDPR, there have been a number of data scandals over the past year. The European Data Protection Board, stated that since May 25th, 2018, 206,326 data breaches were reported by supervisory authorities in the first nine months of the GDPR being rolled out. Alongside this, authorities in 11 EEA countries issued administrative fines totaling €55,955,871. In 2018 alone, the supervisory authorities in Germany handed out a total of 41 fines.
Uber – November 2018
In November 2018, Uber was fined £385,000 for paying off hackers who had stolen the personal details of 2.7 million UK customers. Uber hadn’t informed their customers about the breach.
Using “credential stuffing” (injecting usernames and password pairs into sites until they found a match), the hackers had accessed Uber’s cloud-based storage system and downloaded names, phone numbers, and emails of customers, as well as 82,000 driver records. Following this, Uber paid the attackers a $100,000 ransom so that they would destroy the data, but it took them more than a year to tell the affected customers and drivers.
Due to the size of the breach, the sensitivity of the data stolen and the length of time it took Uber to notify those who were affected, they were fined £385,000. Alongside this, 174,000 people in the Netherlands were also affected, leading the DPA (Dutch Data Protection Authority) to impose a separate £532,000.
Google – January 2019
In January 2019, French data protection watchdog, CNIL fined Google the largest GDPR fine to date – £44 million. This was because Google were found to violate GDPR in two ways. Their data processing practices were found to be “massive and intrusive”, and it was also found that their data processing wasn’t transparent enough when it comes to creating a Google account through an Android device. CNIL had found that when consumers submit a SARs request from Google, information gets “spread across multiple pages”, making it “not easily accessible for users”.
According to CNIL, when it comes to Google processing data, the purposes of the processing were too vague and generic, meaning users weren’t able to fully understand them. Alongside this, it was found that the consent obtained for ad personalization was not valid.
The Operational Impact of GDPR
It’s expected that “Copycat legislation” will come into force in the next few years in terms of GDPR regulations – Canada, Singapore, the US, Australia, and Brazil are, for example, introducing similar legislation.
In 2017, cyber attacks on organisations cost the UK economy £10 billion, with seven out of ten companies falling victim to a cyber-attack or breach. According to the Data Security Confidence Index, 58% of organizations collect sensitive data via email. Should the sensitive information sent via an unencrypted email from your business be infiltrated, your business will be found to be in breach of GDPR. With spam attacks, email spoofing, and phishing being prominent forms of cyber crime, it’s never been more important for you to use email software that’s secure and will protect your business. After all, at every single part of its journey, an insecure email is at risk
CEOs, managers and business directors need to educate themselves and their employees about the importance of cyber security and start putting extra precautions in place so that they can create a more GDPR compliant future.
About the Author
Robin Bingeman is the Managing Director and one of the original development team who brought Cryoserver to the market as the expertly simple email archiving solution to solve issues which law firms, forensic teams, data protection officers and government agencies were experiencing on a daily basis. Under his steady leadership, Robin has boosted the development of Cryoserver into a technology used by all types of businesses spanning across 25+ countries. With over 18 years in the email industry, Robin is a thought leader on email management, compliance and privacy laws such as GDPR. Robin can be reached online at our company website, https://www.cryoserver.com/.