26 November 2018 by Spencer Symmons
It’s been almost six months now since the GDPR was introduced on 25th May and so far, the slight panic that could be felt in the air in the lead up to G-Day seems to have been in vain. Whilst experts warned against new restrictions and breaches resulting in heavy fines, in reality not a single penalty has been issued.
That’s not to say, however, that regulating bodies have not received complaints or launched investigations or that businesses have been totally compliant with new regulations. Up until now, those responsible for implementing the GDPR rules – the ICO, in the UK – have given companies some time to adjust. But that’s about to change.
On 7thNovember, we hosted a cluster group at CPS HQ to examine the GDPR and the effects it has had so far, with the ICO in attendance. We’ve held 12 of these groups over the last 18 months, focusing on topics from the GDPR to cybersecurity. For this meeting, among topics discussed were the likelihood of impending fines, when they will come in and who will be penalised. It’s expected that Ticketmaster may be the first to receive a sanction, following a data breach in June which saw 40,000 customers affected. Under the GDPR, Ticketmaster could face fines of up to £17 million or 4 per cent of annual turnover, whichever is higher.
Whilst the ICO could take this opportunity to make an example of Ticketmaster, it is likely to come down to how the breach happened and what the business has done to protect customers in the future. The speed of reporting by Ticketmaster is also likely to play into its favour, as one rule of the GDPR is that breaches must be reported to the ICO immediately. So, whilst we can’t say quite yet, the Ticketmaster ruling could change perspective on the GDPR, particularly if they are seen to be working with businesses, rather than doling out maximum punishments.
In some arenas, there seems to be a thirst for heftier fines and suspensions, however. After the Cambridge Analytica scandal, many people were disappointed with the ruling that Facebook must pay the ICO £500,000 – the maximum fine that could be applied prior to the implementation of the GDPR. Facebook are currently being investigated by the DPC – Ireland’s equivalent of the ICO – over their questionable ad practices and it’s thought that this time around, should an investigation not go their way, Facebook will face a much higher fine.
Perhaps a surprising effect of the GDPR has been the change in international views on privacy. According to U.S. Representative Will Hurd, a GDPR-like set of regulations could be on the agenda for the Democrat controlled house at the beginning of 2019; a stark change from the US based websites which chose to block EU visitors, rather than adhere to the new rules. It’s not just the US either; India, China and Canada are among countries with new and impending data protection laws that have been heavily influenced by the GDPR.
There’s one big European elephant in the room of course – Brexit. The GDPR is written in EU law, so there is no certainity that firms in the UK will be forced to abide by it, or that UK citizens will be afforded the same protections as we enjoy now post March 2019. Given that the rest of the world seems to be more concerned about data protection following the introduction of the GDPR, and that the UK were in favour of stronger data regulations pre-adoption, it seems unlikely that the GDPR will not be included in the Great Repeal Bill. As it stands though, just like so many other things, we can’t know for sure until a deal is agreed.
So, whilst the GDPR has yet to bring about any sanctions, it would be wrong to believe nothing has changed. Big fines and suspensions are imminent for businesses who continue to risk consumers’ personal details, and individuals are more aware than ever of their rights concerning data protection. As other countries are reviewing their own privacy policies, the GDPR might just change the world after all.
This website uses 'cookies' to give you the best, most relevant experience. Using this website means you're happy with this. You can find out more about the cookies used by clicking this link.