Data breaches have gone mainstream – that’s the conclusion of regulators as they look back on the first six months of GDPR. They show that the number of companies reporting breaches and the number of customers making complaints have risen dramatically since the new law came into force.
In a speech in New Zealand, Elisabeth Denham confirmed that more than 8,000 reports of data breaches since the new laws were introduced. The rules place obligations on all companies in all sectors to promptly inform the regulator when data has been breached. In those situations in which the data has the potential to cause serious harm to the customer, they must also inform individuals.
This, she said, was a clear sign that the law was working as intended.
“It’s just over six months since the new law came into effect across Europe bringing with it greater accountability, transparency and consumer control. As anticipated, I am seeing more of everything in the UK,” she said.
In addition, it appears as if the public are becoming better informed about GDPR. Complaints had more than doubled in the last six month from around 9,000 to just over 19,000 for a comparable period. She said the arrival of GDPR had served to heighten the public’s awareness about the potential of their data and the obligations on companies to use it responsibly.
Another impact of GDPR is also being felt by hundreds of companies who have failed to pay their annual fee to the ICO. This fee was introduced as part of GDPR and means that all companies, organisations and sole traders who process personal data must pay a fee to the ICO or face a fine of up to £4,350. More than 900 notices of intent have been sent out since September and more than 100 final monetary penalty notices are being issues in this first round.
The most immediate impacts, then, have been increased public awareness and a considerable rise in the workload of the ICO. Its staff has risen to almost 700 to deal with the expected increase in work, but it will continue to come under pressure.
We have also seen differences in the way companies have decided to respond. Facebook, for example, was fined £500,000 by the ICO for its involvement in the Cambridge Analytica scandal. The fine is the maximum the regulator could impose as the breach occurred before GDPR came into force.
This equates to around eighteen minutes worth of the company’s profits but even so they have decided to appeal based on what they describe as a ‘matter of principal’. They claim the data of UK customers was not used, while the ICO argues it has no way of confirming this and, in any case, the breach put the data of UK individuals at jeopardy.
On the other hand, Apple have decided to turn their obligations into a competitive advantage by being as open as possible with its users about how their data is used.
So, while Facebook is turning to the law to make it as difficult as possible to levy a fine, Apple and others see this as an opportunity. Customers are increasingly away of their rights and companies’ obligations and they are willing to exercise those rights. By being going beyond what’s required, Apple are positioning themselves as an organisation of trust, while Facebook are implicitly telling the world that they don’t care how much they are trusted.
As well as showing two different approaches to GDPR, this also highlights the challenges for both companies and the ICO. Facebook’s fine could have been much higher under GDP – something which even they might have noticed. If they and others contest their fines, the question is whether the ICO will have the resources to enforce it. Apple, meanwhile, show that customer trust and data is becoming a commodity – one which organisations can use to their advantage.