One year on since the European Union’s General Data Protection Regulation (GDPR) was implemented, what have we learned over this past year and how much has the regulation changed how data protection is regarded when it comes to businesses?
The GDPR replaced the Data Protection Act (1998), which was considered seriously outdated in terms of our technology advancements and how integrated technology is in both business and personal lives. The GDPR was designed to protect all EU citizens’ data privacy and make companies more transparent about how they deal with people’s data.
The implementation of GDPR made businesses step up and think about their data in a more stringent way than before. With the threat of heavy fines and strict compliance regulations, the European Commission has demonstrated strong yet measured implementation to date.
Enforcement of the GDPR to date
An official report from the European Data Protection Board on the first nine months since the implementation of GDPR showed over 206,000 cases recorded from 31 EEA countries, which included 95,000 based on complaints and 65,000 based on data breach notifications. National data protection agencies have already imposed fines across 91 companies totalling almost €56 million, including €50 million against a single organisation, Google.
Google has been fined €50 million (£44m) by the French data regulator, Commission nationale de l’informatique et des libertés (CNIL), for a breach of the EU’s data protection rules regarding its ad exchange. The regulator said it judged that people were “not sufficiently informed” about how Google collected data to personalise advertising, making it the largest leak of personal data recorded so far. Google has maintained that its adverts are targeted based on the type of content on a web page, rather than internet users’ personal circumstances. Whilst Google have received the largest fine of any organisation to date, it is still only a fraction of the 4% of companies’ total global revenue they could have fined – a difference of billions of pounds.
Further enquiries have been opened into giants such as Apple, Facebook, WhatsApp, Instagram, Twitter, and LinkedIn. As well as entertainment streaming organisations including Amazon, Netflix, and Spotify.
How has the regulation affected businesses?
Operations and compliance director at Hyve, Graham Marcroft, said, “Before GDPR came to be law, most people were confused as to what it actually was, as well as what they needed to do to fully comply. The introduction of GDPR a year ago has certainly shed more light on where some companies have been going wrong and has also meant that customers look more critically when choosing where to store and process their data. When it comes to choosing a managed service provider, customers are now more likely to look for somewhere that abides by guidelines over and above what is expected by GDPR, such as independent accreditations like ISO27001.”
What has Cantium done to help our education customers manage their data?
In the year since GDPR was introduced, the complex changes to data protection regulations meant that 2018 was a particularly demanding year for schools, bringing real challenges and impacting school resources and finances.
GDPRiS is a cloud-based platform designed specifically for Data Protection Officers (DPOs), schools, and 3rd party data processors in schools. It reflects existing processes and the way schools work, whilst pro-actively prompting them to meet and exceed the new regulations.
DPO as a Service (DPOaaS) is now available to all customers that purchase the GDPR in Schools (GDPRiS) cloud platform. DPOaaS is a practical and cost-effective solution for schools, trusts, and academies that don’t have the data protection expertise and knowledge to fulfil their Data Protection Officer (DPO) obligations.
Achieving our ISO27001 accreditation in January 2019 was of high importance to Cantium, to ensure we can demonstrate that we follow best practice with regards to information security.
The future of GDPR
As we approach the one-year milestone, GDPR is no longer an area where companies can “work towards” improvements with regards to data protection and governance. Companies should have established their own standards and consistently monitor their processes for compliance and possible security breaches.
For individuals or customers, GDPR is more than just an inbox-clogger – you now have the power to hold companies to account. If individuals begin to take advantage of GDPR in large numbers, by withholding consent for certain uses of data, requesting access to their personal information or right to have their information deleted altogether, it could have a huge effect on the data industry.
GDPR applies only to the EU, but many new laws are coming into effect which have clearly been influenced by the success of the privacy regulations. The California Consumer Privacy Act (CCPA) becomes effective on 1 January 2020 and enhances privacy rights and consumer protection for residents of California.
It is possible we will see a domino type effect, where as one country adopts a GDPR type framework, so too will others and GDPR will start to shape data protection on a global scale.