GDPR and data protection: where are we now?

It has been about 18 months since the General Data Protection Regulation (GDPR) came into force across the European Union on 25 May 2018, and it has transformed the landscape for personal data privacy.

As more businesses collect and store personal data gathered from platforms like mobile phone apps, loyalty schemes, location-based advertising and connected devices, it is now vital for organizations to comply with the laws governing its storage and treatment.

We share how organizations have responded to GDPR so far and what is on the horizon for data protection in the future.

GDPR: the basics

GDPR 2016/679 is the EU law governing everyone's fundamental right to the protection of personal information concerning them.

It unifies and streamlines laws across the EU, clarifying what is expected of all who handle personal data and smoothing cross-border data flows.

It also enables individuals to find out what information a company holds about them.

GDPR: the first year in numbers

At the start of the implementation period there were estimated to be over 375,000 data protection officers in Europe who would be affected by the regulation and who would need to ensure compliance within 2 years.

By GDPR's first anniversary in May 2019 there had been: 

• 144,000+ individual complaints;
• 89,000+ breach notifications;
• 440+ cross-border cases; and
• €56,000,000+ in fines.[1]

The most common types of complaint concerned telemarketing activities, promotional emails and video surveillance, or CCTV.

By far the largest fine, of €50,000,000, was imposed by the French data protection authorities on Google over its collection of data for personalized adverts.[2]

In the UK the Information Commissioner's Office (ICO) reported the following.

• It had received 14,000 reports of personal data breaches from 25 May 2018 to 1 May 2019 – up from 3,300 in the previous year.
• 82% of these required no action from the companies concerned.
• Despite these breaches, research carried out for the ICO in 2019 reported that 34% of people had high trust in companies' storage of their data – up from 21% the previous year.
• 64% of data protection officers saw an increase in customers exercising their personal information rights since GDPR was implemented.[3]

Clearly, GDPR is curbing cavalier attitudes among some companies and empowering individuals, but there is still some way to go.

GDPR: challenges to come

Looming on the horizon are two growing challenges.

Firstly, Big Data. The quantities of data being produced the world over are now simply mind-boggling. By 2013 the accumulated digital universe of data was estimated at 4.4 zettabytes. By 2020 it's forecast to be 44 million zettabytes (1 zettabyte equals 1 trillion gigabytes).[4]

By using smart technology like artificial intelligence and the Internet of Things, businesses are processing the data collected from devices faster. This is used to influence learning, so businesses can improve their own performances, but organizations need to know that these devices are also subject to GDPR.

Secondly, cybersecurity. As hackers become increasingly sophisticated, companies are being forced to increase their data protection, often at considerable cost. Some CEOs might find this initial cost a burden, but this cost pales in comparison with the cost of a serious data breach. A 2019 study for IBM put the average figure at $3.92 million.[5]

From compliance to accountability

As the UK's Information Commissioner, Elizabeth Denham, said: 'The focus for the second year of the GDPR must be beyond baseline compliance – organizations need to shift their focus to accountability, with a real evidenced understanding of the risks to individuals in the way they process data and how those risks should be mitigated.'[6]

One area of potential development to help companies become more accountable is certification. Although GDPR encourages companies to achieve certification, there is currently no agreed standard.

BS ISO/IEC 27701:2019 is a potential certification mechanism. BS ISO/IEC 27701:2019, Security techniques — Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management — Requirements and guidelines, is a standard for privacy information management that can be mapped on to GDPR.

Other advice is also available. BSI's free Privacy Matters White Paper explains why the new standard ISO/IEC 27701 was developed and the value it could bring in the changing privacy landscape. It not only improves the way companies handle data but also allows them to demonstrate their accountability and increase customer trust.

Key takeaways

BSI's own Cybersecurity and Information Resilience team have three pointers for data protection officers. In the free on-demand BSI webinar, Conor Hogan, Senior Manager of Information Governance, and Ines Rubio, Head of Information and Incident Response, give the following advice.

1.      Be proactive

As the saying goes, 'Fail to prepare, prepare to fail.' Focus on what you can control and have a risk-based plan to deal with any potential breaches.

2.      Respond quickly and methodically

The 'whack-a-mole' approach won't work. Have resources, people, processes and capabilities documented, tried and tested so you are poised to respond promptly to any issues.

3.      Be aware that there is mounting enforcement

The first year was regarded as a bedding-in period. Regulators are now getting tough. Compliance is compulsory and it applies to everyone.[7]

Read more about BSI and GDPR

You can find out more about privacy and buy the standard from the BSI shop at: https://shop.bsigroup.com/ProductDetail?pid=000000000030351736.

The White Paper is free to download at: https://www.bsigroup.com/globalassets/localfiles/en-gb/data-protection/bsi_privacy_matters_white_paper-web.pdf

You can also watch the Webinar replay - GDPR: A year in data protection and privacy