After the GDPR journey came the GDPR deadline. This came and went and the world didn’t end. Some people asked me why there wasn’t a transition phase to get ready in time. I responded that they were in the transition phase as the law actually changed in April 2016. A plethora of organisations scrambled to update their systems and processes before GDPR became enforceable on 25 May 2018.
Those dreaded emails
Many took this to mean they had to send lots of emails to their database requesting users to opt back in. Some didn’t distinguish between users who had given permission already and those who hadn’t. Or between existing clients and potential clients. Or personal and business users. If they had, they could have saved a lot of unsubscribes by those too lazy to click the button. Or people like me: I simply used it as an opportunity to reduce the amount of spam I receive. In some ways, perhaps it was a good exercise. Those people who actively clicked to give permission are exactly the users the organisations want. I’m waiting to see if the Information Commissioner’s Office will end up handling complaints from people annoyed at receiving emails from organisations they had never given their permission to in the first place.
Higher fines? Not yet
GDPR created fear because of the steep rise in fines. Before the GDPR journey began, the most severe fine in the UK was £400,000, which is 80% of the maximum. Fines could now go up to €20,000,000 (about £17m) or 4% of annual global turnover, whichever is higher. This is something businesses want to avoid. The ICO has continued to issue fines after 25 May. This includes Yahoo! (£250,000) after a cyber-attack compromised their network (in 2014) and Gloucestershire Police (£80,000) for revealing identities of abuse victims. But these are under the old law and we still await the first GDPR fine.
Cambridge Analytica & Facebook
I had thought Cambridge Analytica would be one of the first. Most people know about this story. Cambridge Analytica took personal information from more than 50 million Facebook profiles and used it to build a system that could target US voters with personalised political ads based on their psychological profile. Employees of Cambridge Analytica, as well as the suspended CEO Alexander Nix, were even filmed boasting about using several dirty tricks to swing elections around the world. The Information Commissioner has been investigating it, assigning 40 or more people. Some say this is the largest investigation ever undertaken by a data protection authority. Of course, because GDPR became law in April 2016 any breaches since then could lead to a new, higher fine. Maybe it’s no coincidence that Cambridge Analytica has shut down.
The GDPR journey and Brexit
For a while, people were confidently telling me that Brexit meant we could abandon GDPR. I told them they were wrong on two counts. First, the GDPR journey started and would be in force before Brexit. That’s now happened. Second, even after Brexit, if the UK wants to send and receive personal data with its EU neighbours, it will have to adhere to GDPR. The key issue about Brexit is that the UK will have little influence over any possible changes to GDPR or other data laws. Recognising the importance of data flows, the UK asked for a special deal. The EU Commission rejected this. Brexit means Brexit after all. So, we will have to follow GDPR but won’t be able to lead on it. Also, if the European Court issues rulings on GDPR, can the UK Supreme Court realistically ignore them and come to a different conclusion? The other factor to consider is whether the broad powers under the Snooper’s Charter – or the Regulation of Investigatory Powers Act to use its proper title – will mean the UK is not deemed to provide adequate protection for data transfers. This will lead to Privacy Shield style negotiations for the UK. And that will keep Max Schrems busy for even longer!