GDPR’S impact two years on
It has been exactly two years since General Data Protection Regulation (GDPR) legislation came into force across Europe, and this has had a seismic effect on data privacy and its subsequent impact on businesses.
When proposed, the GDPR legislation was met with trepidation. Headlines about massive regulatory fines, class actions and compulsory breach reporting struck fear into firms already grappling with the consumerisation of privacy. Maximum fines went up from £500,000 to 4 per cent of turnover or €20 million (£18m). Have the new laws unfolded in the way we expected? Perhaps not exactly, but there has been a massive shift in the privacy landscape. When implemented on 25 May 2018, the personal data of staff and customers became an executive-level responsibility overnight. We have seen some early examples of significant regulatory action under GDPR; notably the €50m fine issued by the French data regulator CNIL to Google in early 2019, followed by the UK’S regulator, the Information Commissioner’s Office (ICO), issuing notices of intent to fine British Airways (£183m) and Marriott International (£99m). Those are still under discussion and not final, and regulatory action is slow, especially for fines at this level. Most privacy breaches don’t result in a regulatory penalty. We are seeing more people make privacy breach claims through the courts, individually or as class actions, and we expect this to continue. However, most changes for businesses have happened behind the scenes.
GDPR made it compulsory to report some – not all – data breaches to the ICO. Everyone suffers data breaches from time, but handling these sensibly, keeping suppliers in check and having trained staff in place to assist is key.
Data subject requests (DSARS) have also leapt due to the increased awareness of our rights, and these can be resourceintensive to handle. Our DSAR handling capability for clients has trebled in the past year as a result.
It’s not all doom, gloom and cost, though. We’ve seen improvements in how organisations handle customer data. In short – privacy sells: in the corporate finance world post-gdpr, data-compliant businesses get significantly better valuations and returns.
Another plus is progress in privacy and technology. A lot of the work we do is around implementing tech solutions in a privacy-compliant way, based on the “privacy by design” concept introduced by GDPR.
Of course, new tech will always challenge privacy, and this is clear in the debate on the use of tracking technologies to tackle Covid-19.
It will take most new regulatory changes five years to take root, so we expect more high-profile penalties and cases. For now, changes to the privacy landscape brought about by GDPR, and driven on by consumer awareness, are here to stay. •Helena Brown is a partner and head of data at Addleshaw Goddard