It has been an interesting few weeks in terms of breaches and cyber-related incidents, especially since the GDPR came into force in May.
Having a look through the first few pages on Google news focusing on ones that affect the UK, it is obvious there has been a sharp increase in the number of reported breaches. Ranging from the latest in the Dixons Carphone data protection horror show to a Council sending out an email which also disclosed the email addresses of every recipient.
Not surprisingly, most of the breaches being reported are claimed to have happened before the GDPR enforcement date of 25th May, so keen observers will be seeing how the ICO judges these, and whether the new limits on fines will apply, or if historical breaches that are reported after May 25th fall under the previous, significantly lower limits. A European Commission official has already stated that historical breaches will come under GDPR rules, so the first case that involves pre-May 25th breaches will be a landmark.
Fines for Thought
In my opinion, the trend for the next few months at least is a majority of data breaches brought to light will be from pre-GDPR, given how long it normally takes for most breaches to be identified. What I am interested to see is if a company (or their lawyers) attempts to alter the timelines to make a breach appear as though it was before 25th May, and how the ICO will react to this.
I am sitting with anticipation at the first enforcement actions to be given under the GDPR as this will likely set the tone moving forward, which supervisory authority will it be, how long from breach notification to fine issued etc… The ICO has stated from the beginning that GDPR was not going to be used as a way of making money and issuing fines will be a last resort. It is worth noting the ICO has never actually issued a previous maximum fine of £500k, so I am interested, as I am sure most people are, in how sharp the ICO’s teeth will be this soon after the new laws are in effect. Elizabeth Denham’s opening remarks in the Facebook/Cambridge Analytica hearing make it clear that serious breaches will be treated seriously. It is also worth noting that 4 of the 10 largest fines issued by the ICO to date were to smaller organisations who immediately folded the business with, presumably, the ICO receiving nothing. Had TalkTalk’s record £400k fine have been the £59m it could have been under the GDPR would that have meant a swift liquidation and sell off of assets to a rival? Almost certainly. It is clear the ICO has to play its hand very carefully.
Another thing I will be paying particular attention to is how breaches that affect EU citizens but happen outside the EU are handled. Pageup recently suffered a data breach affecting 2.6 million people across 190 countries. Did they have a breach plan to meet GDPR requirements, which supervisory authority will take the lead and issue potential fines, and how will these fines be enforced for companies that operate outside of the EU? Will any potential fines be redistributed to each affected supervisory authority? All important questions yet to be answered.
There are still many grey areas with GDPR enforcement and jurisdiction, and the next 12 – 24 months will be about straightening out the kinks, and everybody from companies to individuals understanding what GDPR really means.