In May 2018 the European Union implemented the General Data Protection Regulation (GDPR), which sets out new rules on how businesses handle personal data. As one of the most important changes to data privacy legislation in recent years, the GDPR aims to regulate how businesses gather, store and secure the personal data of EU citizens.
However, many companies have struggled to enforce the new rules. For example, in early 2019 the Information Commissioner’s Office fined British Airways £183 million because it lacked the necessary security arrangements to protect customers during a cyberattack. While companies like British Airways are already racking up big fines for non-compliance, a recent report by the Capgemini Research Institute revealed that less than a third of companies consider themselves GDPR compliant.
There are various reasons why companies are struggling to comply, including skill shortages, a reluctance to update old systems, the financial costs of GDPR overhauls and the fact that compliance is ongoing rather than a box-ticking exercise that can be performed swiftly.
Although the GDPR is a complex regulation that will take time and effort to implement – especially in large businesses – there are significant advantages to getting it right. If businesses take steps to implement changes correctly, they are less likely to fall victim to a data breach and any associated damage to their reputation. The recent British Airways case demonstrates that GDPR non-compliance carries significant financial risks and any future problems with personal data handling could lead to further legal action.
GDPR compliance has raised a number of interesting issues that current and aspiring lawyers should stay mindful of, not least the fact that non-compliant companies could face significant legal challenges in the coming years. Although the GDPR was implemented in 2018, many companies are struggling to meet its requirements; if this continues, such companies will face a backlog of potential privacy issues. Further, as the Internet evolves, so too will the risks associated with online data privacy.