What’s next for GDPR?
It has been almost two years since the implementation of General Data Protection Regulation (GDPR). In that time data security has become an ever more important facet of business.
In the latest report following our round table on cyber security in partnership with international law firm CMS, we explore the impact a breach can have as a result of GDPR, how the Information Commissioner’s Office (ICO) is responding and what the future could hold.
According to Chris Wilson, a senior associate from CMS, there is some key wording within the preamble to the GDPR. “The wording says that the processing of personal data should be designed to serve mankind, that its protection is not absolute but should be considered in relation to its function in society and balanced proportionately against other fundamental rights.”
This posed the question of where, now with digital data unavoidable, is the right balance between prosecuting and fining companies for breaches versus an education of the consumer and businesses of what data and cyber security really means.
Jordan Wilson, managing director of marketing agency Mount Digital proposed that surely the best way for engaging with users at both a consumer and business level is to have a firm’s security rating clearly displayed. He proposed a similar system to the Food Hygiene Rating which exists for food outlets, to show a business’ security credentials.
Amit Tyagi, senior associate at CMS, responded to that saying: “It appears current policy is looking at it from the other angle. Whether it’s right or not they’ve introduced the mechanism now where we seek to hold companies’ accountable for the failures that lead to breaches.” Amit continued and highlighted that the ICO has increased the penalties considerably following the implementation of GDPR and the Data Protection Act 2018.
He cited the example of Cambridge Analytica and its case with Facebook which saw a fine of £500,000 imposed in the UK. Under the latest GDPR rulings that fine would have been in the hundreds of millions.
To date the record fines have been for big name firms including British Airways which in 2019 was fined £183.39m by the ICO for a cyber incident in September 2018. The incident saw approximately 500,000 customers compromised over a four month period.
Amit also highlighted how GDPR has been held up as an example of best practice. Saying the recent California law – the Consumer Protection Act- that was adopted last year was modelled on GDPR.
Ian Mann, CEO of ECSC, also supported current legislation stating; “There is provision in GDPR to have a certification, the UK hasn’t adopted that yet.” He continued by saying: “at the moment we have a range of schemes including ISO 27001 [an information security standard] etc.”
Concluding that, “it’s a bit early to say we need something else.” He used the example of penalties such as prison time for director for health and safety offences driving good behaviour.
What was acknowledged throughout the discussion was that since GDPR was implemented an education is underway. CEOs and COOs are now understanding that they could be the ones who pay the price for poor cyber security. As a result, they’re more engaged in the topic.
Amit continued that one area that does need education and cannot be dealt with simply by fines, is a response to a breach. In the new post-GDPR world where “we don’t know where the courts are going to land in terms of compensation and payments”, the biggest issue, according to Amit, is to ensure the information you supply the ICO following a breach is right. His best suggestion was to work with a lawyer and if possible forensic IT consultants to gain as much information as possible and create a report for the ICO. Using a lawyer early on can ensure the experts’ findings and advice is protected by legal privilege.
Chris from CMS also highlighted the benefit of working with experts once a breach has happened, not just from an ICO but from a civil liability perspective. “I certainly find that reports from external forensic IT consultants on the cause and results of the breach can be beneficial when it comes to dealing with civil liabilities,” he said. Adding, “As the reports can show nothing could be done to prevent the breach, appropriate systems were in place, or that no data was compromised.”
So what’s next for data breach fines and prosecution? the group agreed that figures are likely to only go up.
The most interesting concept, however, might be the response to breaches from a civil liability front, which have a much lower threshold of evidence. With Chris suggesting. “One possible situation for non-financial losses might be a tariff system where insurers simply confirm that the business was involved and then pay, for example a fixed amount depending on the seriousness of the consequences of the breach to the claimant.”
What is clear is that with a growing amount of data stored digitally and the landscape constantly evolving, businesses need to be more aware of the risks and responses to a cyber security / data breach.
