The General Data Protection Regulation (GDPR) came into force on 25th May 2018. Now over a year since its introduction, has it changed data protection practice?
Although not an exact science, various surveys and reports have tended to indicate an increased awareness in data subjects of their rights, as well as an increase in breach reports and subject access requests.
These findings appear to be borne out by the Information Commissioner's (ICO) recently published annual report, which highlights an increase in activity in almost every category reported on. Some key findings include:
- The ICO reports a 66% increase in contact through its helplines and a 72% increase in visits to its website.
- A survey carried out by the ICO found that 64% of data controllers surveyed agreed they had seen an increase in the exercise of data protection rights since the introduction of the GDPR.
- The ICO received 41,661 complaints from the public in 2018/19: an increase of around 50% on the previous year. The most common subject matter of complaints was non-compliance with subject access requests (38%) followed by improper disclosure of data (16%). This appears to support the reported evidence of an increase in exercise of rights.
- Separately, the ICO also reports a significant increase in personal data breach reports from data controllers, which have gone up from 3,311 in 2017/18 to 13,840 in 2018/19: an increase of over 400%.
- The ICO’s report also notes an increase in complaints under the Privacy in Electronic Communications Regulations 2003 (PECR), which regulate direct marketing and cold calling. The majority of the complaints relate to telesales calls, including those which feature recorded messages.
This increase in breach reports is not particularly surprising given the duty to report under the GDPR, but it appears to demonstrate that the breach reporting duty is being taken seriously, and is also potentially an indication of the level of data protection issues which may have been occurring unreported in the past.
Data controllers are likely to be particularly concerned about fines, given the increase in the level of fines which can be levied by regulators. The ICO recently imposed the two largest fines so far: £99 million on Marriott hotels and £183 million on British Airways. These fines are far larger than any other imposed in Europe following the introduction of the GDPR, and indicate that the ICO is fully prepared to impose significant penalties. However, the good news for data controllers is that fines remain very much the exception rather than the rule. Of the breach reports dealt with by the ICO in 2018/19, less than 1% led to action beyond requiring the controller to take further steps to address the issue, and a monetary penalty was imposed in only 0.05% of cases.
This information indicates that individuals appear to have a greater awareness of their rights, how to exercise them and how to complain to the ICO if they believe these rights have been infringed. Although fines are still relatively rare, this knowledge and willingness to enforce should give greater incentive for organisations to comply with data protection principles given the risk of enforcement action and reputational damage which might result.