Are Businesses Still Taking GDPR Seriously?
Table Of Contents:
As we mark five years since the GDPR came into force, has a lack of significant fines caused some CEOs not to take it so seriously? Dan Raywood looks at whether GDPR failed to live up to the hype.
In the run-up to May 2018, the expectation of GDPR was that this would be a significant game changer in compliance enforcement. From the first conversations around data protection reform, it was clear that the level of enforcement was going to be more significant than the £500,000 maximum monetary penalty the Information Commissioner’s Office (ICO) had begun to issue in 2011.
In fact, the GDPR determined that for “especially severe violations, the fine framework can be up to 20 million euros, or in the case of an undertaking, up to four per cent of the total global turnover of the preceding fiscal year, whichever is higher.” Even for less severe violations, Article 83(4) sets forth fines of up to 10 million euros, or, in the case of an undertaking, up to two per cent of the entire global turnover of the preceding fiscal year, whichever is higher.
Pretty scary stuff, eh? Those potential figures received heavy publicity in the run-up to May 2018. A Varonis survey from 2017 found that 75% of 500 surveyed decision-makers agreed that the fines imposed could cripple some organisations, and 44% believed companies could increase prices to insulate themselves against penalties.
GDPR Fines – Not What Was Expected
However, the biggest ICO fines show that million-pound figures have only been topped a few times, with the £12.7 million for TikTok from April 2023 now among the top fines issued.
Have we been let down if we were expecting GDPR fines to be so severe and businesses to fear them? After all, the largest fine was issued to British Airways in 2019, with a total of £183 million determined when the personal data of 500,000 customers was stolen from their website and mobile app. However, just over a year later and after an appeal, that amount was reduced to £20 million. Not an insignificant amount, but one which would have harmed the ICO’s bite as a regulator.
Are businesses taking GDPR seriously, considering that the expected heavy fines have not materialised and significant fines have been reduced? Jonathan Armstrong, partner at Cordery, believes that CEOs are not taking GDPR seriously for these reasons. “I think that the issue was that GDPR was hyped up in 2018 with many non-qualified advisers telling organisations that the floodgates would open and that they would be subject to huge fines,” he says.
“When that did not happen in 2018, the leadership in many organisations relaxed, thought it was all hype and stopped paying attention to data protection issues. I know that some organisations defunded GDPR projects as a result.”
Armstrong says at the introduction of GDPR; he believed it was likely that there would be no substantial fines at the outset, “partly because some Data Protection Authorities were giving an extended amount of time for the new law to settle in, and partly because large investigations take some time to work up to get to the position where the DPA can levy a fine.”
What Do The Experts Really Think of GDPR Implementation
To get an idea of the impact of GDPR, we surveyed the National Association of Data Protection Officers (NADPO) members for their thoughts on these claims. When asked if they felt GDPR had lived up to its pre-2018 hype, of the 58 responses collected, 62 per cent said it had not.
NADPO chair, and DPO at Mishcon de Reya, Jon Baines, agrees that the hype certainly raised the profile of data protection but said it also led to an overreaction in some areas, with some ‘recoil.
“Some senior execs and board members, understandably, have questioned whether the efforts put in to achieve compliance were (or continue to be) necessary,” he says. “The best answer to that sort of challenge is that good compliance is nearly always aligned with good business practice – it should result in a win-win in the vast majority of cases.”
Baines also comments that while successive commissioners have told us that enforcement is not just about fines, and current commissioner John Edwards has shown himself especially keen on ‘reprimands’, which are a kind of ‘soft enforcement’, he feels much more use could be made of enforcement notices – which are formal legal notices requiring organisations to take specified steps (or refrain from taking them), and where failure to comply is potentially a criminal offence.
“I think more use of these powers would tend to get boardroom attention whilst avoiding the need for punitive (or worthless) fines.”
Looking forward, we asked the NADPO members what the ICO needs to do to make GDPR the fearsome prospect it once was. The NADPO members left a variety of comments, saying the ICO “needs to support its application and enforce breaches”, offer “clear, consistent, sector-specific guidance”, and “issue sanctions to organisations that under resource its data protection functions.”
There were also comments calling for the ICO to be more active in enforcement, as educating companies is essential, “but when enforcement would have a greater impact for the long term, they are currently lacking credibility.” Another comment called for the ICO to deal with complaints about everything “and not just big data breaches” and enforce using powers (not necessarily fines, such as stopping companies from processing data at all.
Also, there has long been consideration of where the money goes when a fine is paid. One person called for the declaration of how much money a penalty would have been, but then insist that the organisation has to spend that money fixing the faults “so the organisation isn’t expected to make improvements whilst also suffering fewer resources, but the threat of someone will come in and ‘take your money away’ (so you can’t spend it how you like) is there.”
The Role of the ICO
In a recent speech at the IAPP Data Protection Intensive UK, Information Commissioner John Edwards said it is crucial for the regulator to show that non-compliance with data protection is not profitable. “Misusing your customers’ information to gain a commercial advantage over others will always be viewed negatively by my office, and we will seek to impose fines commensurate with the ill-gotten gains achieved through non-compliance.”
The 2021-22 annual report from the ICO said its focus is on supporting organisations to meet their legal requirements. “We target our regulatory action in areas where poor data protection practices have the most significant impact on people. We use our enforcement powers only where it is required and always in a proportionate way.”
We contacted the ICO for a direct response but had not received an answer at the time of publication.
Looking To The Next 5 Years of GDPR
Armstrong says there has been a substantial increase in GDPR fines in the last year, “so that there are now more than 2000 fines with more than €2.6bn in fines being levied.” He also says we are seeing DPAs use their powers more creatively – for example, with the suspension of processing for Replika AI and ChatGPT.
“So, it is not just about the fine, and these suspensions can be business critical as well – you will see how the CEO of OpenAI dropped everything to talk to the Italian DPA after the suspension. So, I think the difficulty for many organisations is that they look at the past rather than the present.”
The rollout of GDPR was lengthy and allowed businesses to get their house in order for this data protection regulation. If CEOs are to take this seriously, perhaps fewer sensational headlines would be a good thing, as would more emphasis on supporting and enabling those companies who fail.
