GDPR – The Story So Far

GDPR  went live on the 25th May 2018.

As most (sensible) people predicted the world didn’t end, nobody was fined £20m odd and businesses did not drown under the weight of people unsubscribing to their emails.

So, what happened?

You may have noticed that you became extremely popular in the lead up to the 25th May. Companies that you’d not heard from in years, or that you don’t remember ever having had an email from before, suddenly popped up in your inbox begging for consent to email you. If you, like most people, just ignored them then you SHOULD now be removed from those lists forever. Hurrah; isn’t GDPR brilliant?!

Within forty-eight minutes of the GDPR coming into force, Max Schrems, who has previously campaigned against US social media platform and tech companies for alleged privacy violations, launched the first challenges under the GDPR.

Facebook, Google, Instagram and WhatsApp were accused of forcing users to consent to targeted advertising to use the services.Privacy group, led by activist Max Schrems, said people were not being given a “free choice”.

Complaints have been filed in France, Austria, Belgium and Germany and request that regulators impose fines of up to $4.3 billion – roughly 4 percent of each company’s revenue for 2017, the maximum penalty allowed under the GDPR.

In statements, both companies defended their data collection practices, saying they fully complied with the new European regulations.

Some high-profile US news websites were temporarily unavailable in Europe. The Chicago Tribune and LA Times were among those saying they were currently unavailable in most European countries.

Meanwhile, a service used to identify and contact website owners has been forced to strip out information on its site to comply. Whois is often used by journalists and police to make quick checks into the legitimacy of websites. It no longer shows contact names, email addresses or phone numbers. Icann, the owner of Whois, had asked for more time to comply with GDPR despite having had years to prepare.

The request was turned down.

Klout got clouted!

Klout – the often controversial social media service – closed on 25th May. Whilst it was not explicitly stated, GDPR might have played a role in Klout’s downfall.

Uber Entertainment, which makes online games, shut down its Super Monday Night Combat game on May 23 because of GDPR. The company said it would cost too much to rewrite the game, or migrate it onto a different platform. The current design, which was built in 2009, makes it difficult to delete data from user accounts.

“We’ll keep playable for as long as we are legally allowed to, but the day GDPR hits, we’ll pull it down so as to be in compliance,” said Jeremy Ables, CEO of Uber Entertainment.

Gravity Interactive, the maker of Ragnarok and Dragon Saga games, took a different approach. It blocked Europeans from accessing its games.

Czech internet company has said it will shutter its social network for classmates because of the regulation. It said the platform, which has 20,000 daily active users, would have to change completely to comply with the regulations.

The amount of tweets, LinkedIn posts etc. mentioning GDPR dropped off a cliff and the GDPR consultants went quiet. They were probably taking a well earned break to count all the money they’ve made with unnecessary consultancy and poor advice. We generalise of course; there are some excellent consultants who have done some great work and will ultimately save the businesses they’ve worked with lots of money and, more importantly, keep peoples data safe.

So, was the fuss worth it?

Well yes, sort of.

Ultimately good data protection makes good business sense, so the work that’s been done has to be a good thing.

In some cases there was overkill. Nowhere was this more obvious than in the previously mentioned barrage of opt-in emails.

Giving a personal example I’m a member of the National Trust, but received several communications from them asking for me to opt-in to receiving their emails, newsletters etc. This was not needed. I pay them a monthly subscription; common sense says that I do want to receive information from them. They therefore can cite ‘legitimate interest’ as a legal basis to continue to contact me. I do not need to provide renewed consent.

Legitimate interest seemed to get lost in the scramble to get consent, but it is one of the legal basis for data processing – the same as consent is. We’ll look at legitimate interest in a bit more detail in a forthcoming blog post.

When is the impact likely to be felt?

We saw an increase in the number of reported incidents and this is likely to continue. The risks associated with trying to hide a data breach have increased so reporting is more likely to happen.

The number of upheld decisions by the ICO was actually lower in May than in April and lower than in May of last year, so we’ve not seen a massive upturn in cases. However, January 2018 did see a record number of fines handed out.

ICO Information Commissioner Elizabeth Denton reiterated the stance of the ICO during her presentation at the Data Protection Practitioners’ Conference on 9 April 2018. “Anyway, I hope by now you know that enforcement is a last resort. I have no intention of changing the ICO’s proportionate and pragmatic approach after 25th of May. Hefty fines will be reserved for those organisations that persistently, deliberately or negligently flout the law.”

There will, I’m sure, be some headline cases in the coming months. But for the majority it’s business as usual.

How we can help with GDPR

We offer a FREE IT Security Assessment and can talk to you about technical solutions to help protect your data and aid with GDPR compliance.

cyber essentials

We can also offer Cyber Essentials certification. Cyber Essentials provides a framework for cyber security and sets out a good baseline of cyber security.

The scheme is backed by government and addresses five key controls that, when implemented correctly, can prevent around 80% of cyber-attacks.