The end of May 2019 marks a year since the EU General Data Protection Regulations came into force. This legislation was due to have a significant impact on businesses that process data. When talking about ‘processing data’, and ‘collecting’ data – this is something most businesses do as a necessity.
Since the regulations came into effect there have been 59,000 incidents reported across the EU, with potentially many more caught up in bureaucratic backlogs. In the UK the Information Commissioners Office (ICO) saw complaints of data breaches rise by 160% in the first 6 weeks after the introduction of GDPR. The UK is the third highest in Europe for the number of breaches of GDPR reported. It would therefore seem that the public has a fair understanding of their rights under GDPR. Not all reported breaches are the large scale and widely publicised cyber-attacks; reports include simple breaches such as emails sent to the wrong recipient.
So, were businesses ready in time for GDPR? It would seem not. A survey by TrustArc found that at the beginning of 2019 80% of businesses believed they were not compliant and 27% had not even begun work on becoming compliant. Another survey by Talend concluded that currently 70% of UK organisations are not able to respond to data access requests within the 1 month time limit allowed.
The ICO have described this first year as a transition year; with focus on legacy cases and fines being handed to Uber, Facebook and Equifax. Indeed, Facebook was fined by the ICO the maximum penalty (at the time of the incidents) of £500,000 for serious breaches of data protection law as they failed to keep data secure between 2007 and 2014. Their reputational damage will also take time to recover. Under the GDPR and Data Protection Act 2018 the maximum penalty is now £17 million or 4% of global turnover. The number of fines issued is likely to go up in the coming years.
There is uncertainty for businesses at present but there will be no reprieve from GDPR through any potential Brexit outcome. GDPR was incorporated into UK law by the EU (Withdrawal) Act 2018 for when the UK leaves the EU and the Data Protection Act 2018 supplements the GDPR in UK law. The GDPR is here to stay.
Why risk a complaint and potential fine? Ensure that you are up to date with GDPR requirements and continue to be GDPR compliant. Be clear on what personal data is being collected and why. Make sure there is a clear choice for people to opt out or withdraw consent.
Do you need help with data access requests, or reviewing whether you are GDPR compliant regarding storage of your employees’ personal data? Contact us today to discuss how we can help give you that reassurance. Clover HR has GDPR qualified staff capable of conducting data reviews and Gap Analyses, and we would be delighted to help.
Please contact Clover HR email@example.com or 01905 824051.