GDPR - One year on

This year has demonstrated that protecting personal data continues to be a challenge for companies across the globe.

Since the General Data Protection Regulation (GDPR) was introduced in May 2018, the Information Commissioner’s Office (ICO) has received an average of 1,000 data breach reports every month.

There have been several high-profile data breaches. These include British Airways having 380,000 transactions compromised and Timehop with 15 million accounts being accessed as a result of an attack.

The first anniversary of GDPR is a timely reminder that data and information are key to business operations. All individuals are custodians of the data handled every day and they must protect and respect it. Without customers’ trust and a strong reputation, companies will struggle to succeed.

Top 5 lessons learnt in year one

1. Of the 3,200 breaches reported to the ICO in quarter one, 2,059 of these were a result of phishing attacks. This demonstrates that phishing continues to be a high risk area for data compromise. Strategies to enable employees to stop and think before they click are critical.

2. A further 1,050 of breaches were as a result of system hacks. This emphasises the importance of technical solutions and having up-to-date software in place.

3. We know non-compliance with GDPR requirements brings great financial penalties. However, we are yet to see the level of fines the ICO will impose for data breaches. This is not because the ICO have waived any fines, it is because the investigation process is time consuming. Time will tell.

4. The ICO will prosecute individuals as well as companies. Three people (a head teacher, a nurse, and a doctor’s receptionist) have been fined for accessing and using personal data inappropriately.

5. All requirements of the legislation are subject to penalties. For example, organisations across manufacturing, business and finance sectors have been fined for the non-payment of the ICO data protection fee.

Don’t forget DPA

Let’s not forget that the UK has also seen the introduction of supplementary data protection legislation – the Data Protection Act 2018 (DPA 2018).

DPA 2018 provides additional powers not covered by GDPR. For example, investigators can request a warrant to search premises in the event of a data security incident, and individuals or organisations can be prosecuted for failing to provide information.

Destroying or altering any information named in a warrant can also lead to prosecution. These new powers will assist the ICO when investigations are delayed due to information being tampered with.

The new act also deals with data processing that does not fall within European Union law, for example, processing personal data related to UK immigration and national security. It also details the handling of special category data when it is a matter of ‘significant public interest’, such as processing for journalism, insurance, pensions or standards of behaviour in sport.

The other welcome change is that DPA 2018 takes account of today’s internet, digital technologies and social media.

Final note

The frequency and methodology of attacks are sustained year on year, although they are becoming more sophisticated.

To build resistance to attacks, companies require a systematic and sustained approach to data protection, complimented by effective methods of employee learning and development.