GDPR: one year on
What was more popular than Beyoncé and Kim Kardashian in terms of Google searches a year ago?
The somewhat surprising answer is GDPR.
Anyone involved with the handling of personal data will probably break out in a cold sweat at the memory of the introduction of the General Data Protection Regulation on May 25 last year.
The new EU privacy rules created a new cottage industry of GDPR experts and consultants as organisations spent millions on ensuring they were GDPR compliant.
Individuals were bombarded by emails and notifications from companies urging them to give their consent to keep receiving communications and promotions. Annoying as that became for many people, it did nevertheless provoke a new debate about our rights when it comes to our personal data and how it is used.
Most of us had little idea of how much of our personal data was stored and used by businesses – often to track our likes, dislikes and buying habits enabling us to be targeted by highly-personalised marketing campaigns.
GDPR effectively established personal data protection as a fundamental human right. And its introduction brought with it some substantial new powers for regulators.
Breaking GDPR rules can result in fines of up to €20 million (about £17 million) or a maximum of 4% of an organisation’s total global revenue. It is eye-watering stuff.
And it is no surprise most organisations took its introduction so seriously.
A year on, and it is rare to log on to any website and not be told about – and asked for your acceptance of – the cookies or similar technologies it uses or to be referred to the site’s privacy notice.
The fear of hefty fines seems to have kept them to a minimum but there are still headline-grabbing examples of organisations falling foul of GDPR.
In the UK, the most high-profile case has been that of the pregnancy club Bounty. It was fined £400,000 last month by the Information Commissioner’s Office (ICO) for sharing the data of more than 14 million people.
Fines have been imposed in almost every country in the EU with Google being hit by a massive €50 million penalty for failure to secure consent on personalised advertisements.
Like many aspects of law, ignorance is no defence for GDPR misdemeanours – particularly given the huge amount of publicity in the run-up to its introduction last year (hence the search-popularity comparisons with Beyoncé and Kim Kardashian).
Irrespective of Britain’s future in the EU, GDPR is here to stay and organisations are well advised to ensure they remain compliant and vigilant.
The best independent (and free) guide to GDPR and its implications for organisations and individuals is available from the ICO’s website – www.ico.org.uk
Zep Bellavia is Managing Director of Newport-based solicitors and accountants Bellavia & Associates.