Since GDPR was introduced, statistics released by the UK government and various cyber security surveys suggest that there has been a reduction in the number of businesses experiencing a cyber attack or breach. We suspect that the introduction of the regulations has resulted in organisations taking cyber security more seriously; however, it’s clear there is still a long way to go as cyber security is still not on the top of many businesses’ to-do lists, and many still do not yet have dedicated budgets to address their security and data-related shortcomings.
From our perspective, the widely-publicised stories about crippling fines associated with data breaches post-GDPR have mostly failed to materialise and, as such, it’s been business as usual for a lot of the organisations we speak to. In a survey of 1,021 UK workers carried out by MarketingSignals.com, one-in-three businesses (37 per cent) confessed to not following GDPR, despite the warnings given before the 2018 deadline.
During the first few months after GDPR came into force, there were a lot of explanatory investigations, mainly offering recommendations and guidance for companies in breach. Initially, businesses were given a certain amount of leeway and given the opportunity to get their houses in order, but this phase is now largely over with enforcement and contraventions increasingly being sanctioned.
GDPR is a journey rather a destination, and as the Information Commissioner’s Office (ICO) continues to work through its considerable backlog, we can expect more fines to be issued and publicised, resulting in corporate behaviour shifting accordingly.
Businesses that cooperate and take proactive measures to improve their data management processes to satisfy GDPR can reasonably expect proportionate penalties and reduced fines. In any case, the evidence so far has shown that, in general, fines issued have been well below the headline figure touted in the press and the maximum levies permitted.
To ensure that businesses do not become complacent, data management and safeguarding should be given high priority within an organisation. This starts with understanding exactly what data the business has, and how it is acquired, processed and used.
Policies, procedures and working practices need to be devised and/or refined to ensure that only the most necessary personal data is stored and access to this data is restricted to just the personnel who need to use it. The implication is that staff will need training and processes will need to be introduced to ensure periodic reviews to ensure compliance is maintained.