GDPR one year on: the winners and the losers

The General Data Protection Regulation has been the most important change in data privacy regulation in over 20 years, with companies such as Google, WhatsApp and Instagram facing fines of up to $9.3 billion within just 24 hours of the law coming into effect. But while many have suffered, others have prospered. One year after it was introduced, we look at three kinds of business that have not only ‘survived’ GDPR, but benefitted from it – and three companies that have fallen foul of the legislation.

There was a period of frenzied activity in the build-up to the introduction of GDPR last year. Even before the EU’s new, beefed-up data and privacy regulation came into effect on 25 May 2018, UK and US businesses had spent a colossal $8.9bn on efforts to become compliant, according to estimates compiled by the International Association of Privacy Professionals (IAPP) and accountancy firm EY.

Now, a year on from the introduction of GDPR, that figure dwarfs the total amount in fines meted out as a result of the new law. Just €56m in penalties has been handed out at the time of writing, and the vast majority of that sum was a single fine of €50m for Google. So, are businesses now out of the woods?

Far from it, says Alan Calder, founder of data privacy and cyber security firm, IT Governance (external link). ‘Our own research suggests 25-30% of UK companies are largely in compliance with requirements of GDPR.’ Of course, that leaves a significant percentage that aren’t.

‘Probably still 45 or 50% are still working towards compliance at one level or another. Then there’s probably 15 or 20% who think it’s something they don’t need to do, or think it won’t ever apply to them.’ The companies in the last of those three categories could soon find themselves in trouble. Calder expects some ‘eye-watering’ fines to be issued in the coming months, as the real clamp-down begins.

So, a year on from the introduction of GDPR, who are the likely to be the winners and losers?

Likely losers

British Airways
In what it described as a ‘sophisticated criminal act’, the airline lost customers’ personal details, credit card numbers and – crucially – the three-digit ‘CVV’ security codes that are designed to preserve the security of bank accounts. The breach, which happened in late August of 2018, gave rise to criticism that alleged cost-cutting on IT had come home to roost – a claim that the company denied. At any rate, British Airways could, in theory, be hit with a fine of up to 4% of its global revenue, which equates to £500m.

Marriot International
A breach of the Starwood division of the hotel group is reckoned to have given hackers access to personal details of up to 500 million customers. The UK Information Commissioner’s Office announced that it would be ‘making enquiries’ and a fine under GDPR is likely, says Calder. ‘It will take two years to investigate, but there will certainly be a lot of EU residents’ data compromised and it will lead to another big fine. That’s a racing certainty.’

JD Wetherspoon
The pub chain has not received a fine under GDPR – and it may never do so – but its example shows that there’s more than one way to lose out as a result of data regulation. In 2017, following a major 2015 breach of personal details relating to 656,723 customers, the company took the unusual step of deleting its entire database of customer email addresses. It’s possible that the company may have ‘lost track of who had given consent’ to be contacted, according to Wired (external link). And, in such cases, efforts to address the problem can actually end up leading to fines, as Honda and Morrisons have discovered in the recent past. Whatever the case, the company has elected to voluntarily give up a valuable resource, rather than take on the risk that comes with holding onto it.

Possible winners

Firms who put the ‘PR’ into GDPR
One of Calder’s clients, a printing firm, put all of its employees through a GDPR-awareness training course. ‘Everybody in the company passed,’ he says. ‘And they ran a PR campaign on the back of it. The company used it as a way to win business, telling clients: “We know we might be dealing with sensitive information and personal data: everybody here is aware of what that means, and we are compliant with the regulation.”’

Big tech
Google may be the recipient of the biggest GDPR fine to date, however, argues Calder, it’s small beer in comparison to the company’s revenues. ‘€50m – so, what? It’s the equivalent of a rounding error. There are likely to be more fines, but they can afford them.’

Companies that can stay in the ICO’s good books
According to Calder, organisations that haven’t been hit by fines so far should not pat themselves on the back and ‘drop their guard’. ‘GDPR is a journey, not a destination,’ he says. ‘GDPR has a specific requirement that organisations embed protection ‘by design and by default’. That means designing systems and training staff to be on alert for phishing scams and other security threats that can lead to breaches of GDPR regulation. ‘It’s a specific requirement, and failure to meet it can come with a heavy cost: a fine of 2% of global revenue, or €10m, whichever is the higher.’