Andy Barratt, UK MD at cybersecurity consultancy Coalfire, evaluates the way GDPR fines are levied and asks whether the current process will benefit organisations and their customers in the long term.
While headline-making data breaches are nothing new, the eye-watering fines levied upon UK organisations in recent months have undoubtedly served to bring the General Data Protection Regulation (GDPR) back to the fore more than a year on from its inception. The first significant fines of the GDPR era relate to British Airways and hotel group Marriott, with the Information Commissioner’s Office (ICO) meting out almost £300 million in GDPR fines across the two businesses this summer. While both have taken clear and decisive action to better protect their customers’ personal data in the aftermath, ultimately, very few organisations have proactively delivered enough significant change over the last year to not be at risk of a similar fate.
All bark and no bite?
For many of GDPR’s critics, there was previously a sense that the new regulations lacked teeth. In fact, prior to July’s watershed fines, only a fraction (0.25%) of incidents reported to the ICO resulted in any form of monetary penalty. Meanwhile, research from the UK’s Department of Digital, Culture, Media & Sport found that – despite having been in effect for well over a year at the time of questioning – 70% of UK organisations had not made any changes to their cyber protocols since the introduction of GDPR.
Since the ICO’s clear show of strength, however, cybersecurity and legal firms have seen a huge surge in interest as companies look to ensure they avoid similar punishment. Research conducted by the Financial Times found that news of the fines produced an immediate 32% spike in organisations seeking out cyber-insurance and data protection training.
Setting the bar
With firms now showing a clear desire to be on the right side of GDPR, the ICO has a unique opportunity to improve data compliance.
But, with no formal audit or assurance programme in place, the confusion remains for organisations as to what best practice and compliance look like in the eyes of the ICO. How can they ever demonstrate that they’ve ‘done enough’?
Until there comes a time when there is clear guidance from the ICO in this respect, organisations may find it difficult to show that they have taken appropriate measures to protect data, or even assess whether it’s possible for them to do so within their current financial means.
GDPR ultimately gives the ICO the power to fine organisations life-changing sums of money, so it’s difficult to disagree with calls for the UK government to introduce clearer guidance to help them to understand exactly what is expected of them.
Reinvesting in cybersecurity
In the UK, the ICO maintains a strict policy of not receiving any of the funds generated through fines, which are instead sent directly to the Treasury. This allows the ICO to operate freely without cause for speculation that it could be profiting from fines levied or acting out of self-interest. However, it also means that it is unclear how money generated through GDPR fines is reinvested into the system to help improve data protection standards.
This is in contrast to other cyber-related regulations, where large fines are typically part of a fraud recovery system. For example, fines generated through the Payment Card Industry Data Security Standard are used to cover the cost to card issuers of reimbursing victims of fraud.
As it stands, such heavy GDPR fines are a double punishment as they effectively remove funds from organisations that could be invested in improving cybersecurity standards. While the ICO has confirmed it is currently exploring options, such as ringfencing income to cover potential litigation costs to defend its decisions, no procedure has been put forward to help support the people who have been defrauded or help educate organisations on how to do better.
Fit to blueprint?
GDPR has undoubtedly helped to usher in a new era of consumer awareness. Since its introduction, figures show that more than 37,700 data protection concerns have been raised by members of the public to the ICO.
While the GDPR fines levied upon BA and Marriott have put organisations on notice, more guidance is needed if they are to understand how and where to improve their processes. If GDPR is to be seen as a blueprint for other nations to implement, then we must first iron out the creases and make sure it works for those it currently impacts here in the UK.
By providing clearer guidance, UK organisations can start making real headway in properly protecting their customers’ data.