GDPR one year on, what changes have we seen?

Are fines in effect yet?

Facebook, Google, Instagram and WhatsApp received complaints within hours of the new law taking effect. In fact the European Commission stated that Data Protection Authorities (DPAs) had received more than 95,000 complaints since May ¹. Then on 21st January this year, the French data protection watchdog, CNIL, fined Google €50 million following a breach of GDPR ². For social media companies who provide services in multiple countries, GDPR works by allowing one country to take the lead (in Google’s case, France) while the other authorities involved support the investigation. If there is a disagreement between them then the European Data Protection Board will arbitrate. ³

While this fine is minimal considering the €30 billion turnover that Google reported in the last quarter alone, the fine does demonstrate a willingness to implement GDPR and deliver penalties where appropriate. The investigation’s findings showed that Google breached the GDPR by violating the obligations to be transparent and provide information to data subjects as well as failing to obtain consent for personalised advertisements. The second violation was due to a pre-checked consent box which did not comply with the affirmative action required under Article 4(11) of the GDPR.

Google has announced it will appeal the fine ⁴, and released a statement declaring that it is ‘committed to meeting those expectations and the consent requirements of the GDPR’. This fine sets a potentially expensive example for the other companies targeted by NOYB including Amazon Prime, Apple Music, Netflix, Spotify and YouTube. We have also seen several large data breaches in the media, notably British Airways and Facebook (again) and the outcome of these incidents will undoubtedly set the precedent for GDPR.

There have been smaller fines already, with the State Commissioner for Data Protection and Freedom of Information Baden-Wuerttemberg (LfDI) making history as the first German data protection authority to impose a fine under the GDPR. A social media company received the fine of €20,000 for failing to securely encrypt personal data after a hacker stole approximately 330,000 users’ data and published it online. ⁵

In addition to this, last October, a hospital in Portugal was fined €400,000 for two instances of inappropriate access to patient data ⁶. This was due to non-medical staff using medical staff profiles with unrestricted data access on the computer network. ⁷

Have companies secured their data?

Research in the wake of GDPR revealed that 82.6% of businesses in the EU generally hold personal identifiable information (PII) on customers and 70.2% do so for employees, with more than a fifth admitting to holding biometric and health data. ⁸

Yet despite this vast amount of data being held, 56% of companies confessed that they haven’t checked that their data complies with GDPR and 51.4% hadn’t documented their security measures. ⁹ Those who have cybersecurity protection leant on anti-malware software (90.65%), browser protection software (87.8%) and a firewall (83.7%). ¹⁰ This is worrying news when 41,502 data breach notifications occurred between the introduction of GDPR and January this year. ¹¹

For small businesses who aren’t fully organised there is some hope as GDPR recognises the need to treat them differently from larger organisations. Article 30 of the GDPR declares that companies with less than 250 employees will not be bound by GDPR, though it’s still advisable to secure your data. ¹²

The influence on internet use

One unforeseen impact is the reduction in the use of third-party cookies on European websites, which is down 22%. This is mostly due to the requirement for user consent, as organisations are likely deferring use of cookies until the user clicks the consent button. ¹³

As well as this, many U.S. sites heave dealt with GDPR by blocking European visitors from their site entirely – including 1,000 news sites. ¹⁴

Insurance can assist you

While an insurance policy cannot help you comply with GDPR, it can help you reduce the risk of a fine and the time required to deal with a cyber breach. A cyber policy can outsource these issues, giving you access to specialist knowledge which could help you to avert a PR crisis and a significant fine, as well as getting the business back up and running. GDPR isn’t going away, but a cyber policy can help ensure that your business keeps trading with minimal financial and reputational damage.

Our cyber insurance offers a 24-hour hotline response, speeding up the important step of reporting the breach to the ICO. Post-event we can help you with disaster recovery costs, pay for forensic investigations into the cause of the breach and help to mitigate the damage by engaging PR specialists and legal advisors. In short, it could solve a problem that you are unlikely to tackle on your own.

If you would like to discuss GDPR in more detail or have any questions related to your policy, simply contact your usual Gallagher representative to find out more.

Sources

1. https://www.lexology.com/library/detail.aspx?g=e6416273-7c56-456c-b102-991dcde14991
2. https://www.mondaq.com/privacy-protection/775366/
3. https://ec.europa.eu/commission/sites/beta-political/files/190125_gdpr_infographics_v4.pdf
4. https://born2invest.com/articles/google-appeal-fine-french-regulators/
5. https://blogs.dlapiper.com/privacymatters/germany-first-data-protection-authority-issues-gdpr-fine/
6. https://www.siliconrepublic.com/enterprise/gdpr-six-months-on
7. https://www.itgovernance.eu/blog/en/portuguese-hospital-appeals-gdpr-fine
8. https://www.welivesecurity.com/2018/09/10/100-days-gdpr/
9. https://www.welivesecurity.com/2018/09/10/100-days-gdpr/
10. https://digiday.com/media/impact-gdpr-5-charts/
11. https://ec.europa.eu/commission/sites/beta-political/files/190125_gdpr_infographics_v4.pdf
12. https://smallbusiness.co.uk/what-does-gdpr-mean-business-2538556/
13. https://iapp.org/news/a/survey-cookie-use-down-among-eu-news-sites-since-gdpr/
14. https://econsultancy.com/gdpr-which-websites-are-blocking-visitors-from-the-eu-2/