Why Worry About GDPR? It’s All Fine!
The dust has Settled on GDPR and maybe some people are wondering what all the fuss was about. The world has not caved in (yet!) and we have not seen an explosion of subject access requests, litigation or Information Commission investigations.
Don’t get complacent
However, now is not the time to be complacent. This may well be the calm before the storm. Most legal action takes time and unless the ICO or someone else releases a news report at the outset, you will most likely hear nothing about it until the end, some years later. By that time you may well be under investigation yourself and it may all be too late.
A couple of examples. A post GDPR decision (7th June 2018) of the ICO has been against The British and Foreign Bible Society, based in Swindon, which was been fined £100,000 by the Information Commissioner’s Office after their computer network was compromised as the result of a cyber-attack back in 2016.
Note that as this breach occurred in 2016, the fine was under the old pre GDPR rules, this was as a result of a criminal hack and there was no evidence of financial or data loss.
Fast forward two years and an organisation might expect to receive a GDPR fine of 4% of its last years turnover. In the case of an organisation of a similar size to the Bible Society that fine might be over £700,000.
This 700% multiplier is the effect of the new post GDPR fining powers.
In a case decided on 11th June 2018 Gloucester Police received a GDPR fine of £80,000. The force was at the time investigating allegations of abuse relating to multiple victims. On 19 December 2016, an officer sent an update on the case to 56 recipients by email but entered their email addresses in the ‘To’ field and did not activate the ‘BCC’ function, which would have prevented their details from being shared with others.
A simple mistake which was again decided the old rules and large firms committing the same breach today might expect a fine many times the one in the case.
It won’t be long before the post GDPR fines become headline news, we are already seeing court cases against some of the major online players and those are just the ones we know about. The advice here is don’t think it’s all fine with GDPR. Get your compliance underway and you will lessen the chance of a breach and be in a better position if you are investigated by the ICO.