GDPR one year on: from hefty fines to positive outcomes

The General Data Protection Regulation (GDPR) came into force on 25 May 2018 and brought in expanded rights to individuals and their data, placing greater obligations on all businesses that process personal data.

Like many law firms, we began preparing for GDPR at the start of 2017. This first step was to establish a GDPR team and to create a clear project plan to ensure and maintain compliance.

This included cleansing and updating data records, securing consent to market, creating policies and procedures for subject access and right to be forgotten requests, gaining the Cyber Essentials security accreditation, and implementing a firm-wide training scheme.

One-year anniversary

In the months leading up to 25 May 2018, one of the biggest concerns for organisations was the GDPR’s huge fines for infringements.

Although the Information Commissioner’s Office (ICO) had had the power to issue penalties under the previous data protection laws, the level of potential fines under the GDPR elevated these to a whole new level – the maximum fine is set at €20m or four percent of global annual turnover, whichever is higher.

As we approach the one-year mark and take a view on what is working well, it would seem the GDPR breach notification channel has clearly had a significant impact, while the fining authority has been less obviously valuable. 

European data protection agencies have issued fines totalling €56m for GDPR breaches since it was enforced, from more than 200,000 reported cases from the supervisory authorities in the 31 countries in the European Economic Area.

About 65,000 of these cases were initiated from a data breach report by a data controller, while about 95,000 were complaints.

Of the total fines to date, €50m was the fine handed to Google by the CNIL, France’s data protection regulator, in January this year.

Fine matrix

Speaking at a conference in London last month, ICO’s director of investigations Stephen Eckersley said his organisation was working with data protection agencies in the Netherlands and Norway to establish a ‘matrix’ for calculating fines.

This won’t be public facing, he said, but will instead be a ‘toolkit’ for watchdogs. Eckersley also said there was a “massive increase” in reports of data breaches in GDPR’s first month, to 1,700.

This has since levelled out, with around 400 reports each month. Interestingly, research by cybersecurity company Redscan, identified that while GDPR requires data breaches to be reported within 72 hours, the average time for firms to report this is in fact 21 days.

Law firms are the fastest to report, taking an average 16 days, closely followed by financial firms at 20 days. It is optimistic to think that businesses are better at preventing and detecting data breaches since the introduction of the GDPR.

Despite the prospect of a larger penalty, many are still struggling to understand and implement the solutions they need to achieve compliance.

The fact that even businesses in high-value sectors like the law and financial services are taking two to three weeks to divulge data breaches is a key reason why the reporting rules have been tightened. Aside from the huge fine levied on Google, there have few other fines for far smaller values reported by ICO.

These include a £40,000 fine on Brexit campaign group Vote Leave for sending out 200,000 unsolicited text messages, a £145,000 fine on The London Borough of Newham for disclosing the personal information of more than 200 people who featured on a police intelligence database, and an £80,000 fine on Alistar Green Legal Services Limited for making 213 nuisance calls to TPS subscribers between March and July 2017.

Demonstrating integrity

GDPR delivers numerous up-sides for all firms and businesses. For a start, GDPR compliance demonstrates a business has integrity, is trustworthy, and is committed to accuracy and transparency.

It is also an excellent platform to maximise the firm’s marketing strategy as it enables the firm to be efficient in updating and managing data, and in turn, customer relationships and marketing activities with them. With all the data in one place and in a consistent format that is easy to manage, use, interrogate and analyse, the customer experience can only improve.

By cleaning and fine-tuning data, data volumes have decreased, reducing costs and operational inefficiencies. The data held is clean and up to date, further enhancing operational and client-focused efficiencies, and maximising the potential relevance and engagement with clients.

A firm can talk to the right audience about services they are actually interested in, maximising engagement and potential responsiveness.

In turn, this can enhance competitive edge, with a heightened client perception of your firm, and confidence and belief in the way you conduct business and your business ethics.

GDPR elevates the way in which a firm approaches and addresses its client data security, and their privacy too, placing this on an equal footing with other legislation such as health and safety.

According to research by the Database Marketing Agency (DMA), 90 percent of marketers are, in general, positive about GDPR’s impact on email marketing, an important channel for all businesses, particularly law firms.

The research revealed that:

• Despite the challenges of GDPR, 56 percent of marketers feel positive about the impact of the new laws’ impact on email campaigns;
• 74 percent report an increase in email open rates since GDPR’s introduction, with 75 percent saying they’ve experienced a climb in click-through rates;
• 41 percent have seen a reduction in optout rates and spam complaints.

An analysis of our own e-marketing and client interactions since May 2018 suggests that GDPR’s positive effect is clearly evident for us – for instance we have seen on average, a 12 per cent increase in email campaign open rates.

DPO or no DPO?

Firms appear to have been advised by professional bodies and data protection experts not to appoint a Data Protection Officer (DPO) unless they are obligated to do so under the GDPR.

Despite this, many firms appear to have appointed a DPO, which brings with it a raft of further obligations.

Instead of a DPO, we have opted to appoint a Data Protection Executive, to manage day-to day data protection compliance, aiming to instil a strong, but healthily balanced, data protection / information security attitude among staff.

Next steps

Speaking at the Data Protection Practitioners Conference in April 2019, Elizabeth Denham CBE, Information Commissioner, said she believes “we’re entering a new stage in the GDPR’s development” and that “the crucial, crucial change the law brought was around accountability”.

Accountability encapsulates everything GDPR is about. It enshrines in law an onus on companies to understand the risks that they create for others with their data processing, and to mitigate those risks.

By embedding data protection in the fabric of a business, clients can be reassured as to how their personal data is stored, used and cared for.

At Lodders, we are launching fresh GDPR and information security training across the firm to address working practices and the opportunities GDPR can bring, and to maintain the highest possible standards.

Although the UK is due to leave the EU in the coming months, it is vital businesses still comply with GDPR for two reasons.

Firstly, the rules apply to businesses that have any dealings with European citizens, so even if there is only a small bit of trade with other companies in the EU, the law still applies.

Secondly, the UK’s own data rules have been adapted to take the EU’s regulations into account so if you breach the EU’s laws, you’ve probably breached UK laws too.

Hilary Campton is marketing director at Lodders Solicitors lodders.co.uk