When the EU General Data Protection Regulation (GDPR) came into force back in May 2018, there were many conflicting opinions regarding its likely impact.
Some saw it as the most radical shake-up of data privacy law in 20 years. Others felt that, in reality, the obligations placed on organisations that hold and process personal data were more or less identical to their obligations under the existing legislation.
One undeniable impact of the GDPR has been the significant increase in public and media focus on data usage and security. High profile cases of alleged deliberate data misuse coupled with numerous instances of sophisticated cyber-attacks against large organisations have repeatedly made the headlines.
And it's easy to see why, when the Information Commissioner's Office (ICO) has recently handed British Airways its largest ever fine, and its first fine under the powers of the GDPR.
The BA penalty of £183m amounts to roughly 1.5% of its worldwide turnover in 2017. Less than the possible maximum of 4%, but still a chunky increase on the ICO's previous fines. Scarcely 24 hours later, the ICO outlined its plans to fine US hotel group Marriott International £99m in relation to a breach involving the data of millions of guests.
It seems therefore there is now a second undeniable impact of the GDPR. The ICO not only has the powers to issue larger fines, it's not afraid to use such powers.
The announcements of these fines came with a warning from the Information Commissioner herself, Elizabeth Denham: "The law is clear - when you are entrusted with personal data, you must look after it. Those that don't will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights".
It's safe to say that in the event of a malicious attack, if the target organisation itself was not doing enough to protect such data in the first place, then it will not escape liability and the possibility of significant fines.
Our clients frequently ask us about the procedural documentation and written policies we can provide in order to ensure they comply with the GDPR. Whilst such documents are important, not least in order to demonstrate that an organisation has considered its data responsibilities and, in respect of public-facing documents, to give data subjects important information about their data rights, they are of limited effect in practice if the organisation does not adhere to such policies.
In other words, it's all very well saying "the security of your personal information is our top priority", but if the reality is very different then the organisation in question is likely to fall foul of the regulator.
From large multi-nationals to startups, heeding the warning of the Information Commissioner and taking appropriate practical steps to protect personal data has never been more essential. As global reliance on the exchange and processing of personal data becomes ever greater and more widespread, it seems likely the number of data-related stories hitting the headlines is only going to go in one direction.