GDPR – how some companies are going from fine to fined

Marbral Advisory’s Change Architect, Ian Richardson, looks at why GDPR is still causing headaches for numerous companies four years on from inception and tackles some common misconceptions.

The year is 2022, Brexit is in the rear-view mirror and ‘Teams’ calls are finding their way in the ‘I must not wear my pandemic pants now that we’re back in the office’ world. But four years on from every privacy policy author wearing out their keyboards filling our inboxes with GDPR compliant literature, everyone’s favourite four-letter acronym is still here and still troubling businesses.

Let’s remind ourselves what GDPR is at its core. The General Data Protection Regulation (GDPR) is a law which controls how organisations process and control consumer personal data and provide the consumer a greater level of protection than was previously afforded, especially when it comes to providing personal data in a digital world.

Under the GDPR, individuals are provided with more control in terms of the controlling and processing of their data, which can be easily identified by the eight data subject rights;

1. The right to be informed – To know what personal data is collected about them, why, who is collecting data, how long it will be kept, how they can file a complaint, and with whom will they share the data.

2. The right of access – To be able to request a copy of any of personal data which is being ‘processed’ (i.e. used in any way) by ‘controllers’ (those who decide how and why data are processed)

3. The right to rectification – To be able to ask an organisation to update inaccurate or incomplete data.

4. The right to erasure – To ask for personal data to be deleted (subject to public interest, compliance, or legal obligation)

5. The right to restrict processing – Meaning an individual can limit the way that an organisation uses their data.

6. The right to data portability – Allowing an individual to obtain and reuse their personal data for their own purposes across different services.

7. The right to object - Effectively meaning you can stop or prevent the organisation from using your data.

8. Rights in relation to automated decision making and profiling. You have the right to not be subject to a decision based solely on automated processing.

Whilst the eight data subject rights for the consumer are relatively straightforward to understand, some organisations are still in a bind as how to implement a compliant data protection protocol internally and pose questions such as;

Does the GDPR still apply in a post Brexit world?

YES! The GDPR is retained in domestic law as the UK GDPR. The Data Protection Act 1998 has been replaced by the Data Protection Act 2018, which incorporates the General Data Protection Regulation.

Does the GDPR apply to my new business?

YES! GDPR is vital for every organisation, old and new. It should not be overlooked when starting a new business. 

We took care of the GDPR in 2018, do we need to keep aware?

Absolutely, YES! It is important to keep your internal registers, procedures, and documentation up to date and keep your employees regularly trained so they understand how to remain compliant.

When GDPR was introduced, companies were threatened with fines, did these ever happen?

YES! The UK GDPR and DPA 2018 set a maximum fine of £17.5 million or 4% of annual global turnover – whichever is greater. In the UK⁽¹⁾ alone British Airways, Marriott International Inc, Ticketmaster UK Limited and the Governments’ own Cabinet Office have received fines ranging from £500k in the Cabinet Offices case to £20m in BAs case. Further afield, Amazon Europe Core S.à.r.l., WhatsApp Ireland Ltd and Google LLC have all received enormous fines.

These are just some of the questions asked on a daily basis, and they highlight why we need to keep talking about GDPR and why we also need to continue to take it seriously. At Marbral Advisory, we recognise this and offer a range of e-learning courses, advisory services and toolkits that are proving vital to our clients in keeping their organisations GDPR compliant.

Marbral Advisory helps businesses harness success through organisational, regulatory, and digital strategy and implementation. To find out more, visit www.marbraladvisory.com or contact: natasha.egre@marbraladvisory.com

^{1-            https://www.enforcementtracker.com/ - Tracks the controller/processor, country of origin, date of the fine, the fine amount and the quoted article breached by organisations.}

^{2-            https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/data-protection-officers/ - The Information Commissioners Office, commentary around appointing a DPO}