It’s coming up to 12 months since the introduction of GDPR (General Data Protection Regulation) which has been one of the biggest and most significant changes in data privacy in nearly 20 years.
The goal of the new regulation was to allow EU citizens to control how, where and when their personal data is collected and subsequently, how this is then shared and used. The change to the regulations however wasn’t just a significant change for marketers, but anyone collecting or using peoples personal data. From tech companies and data brokers to medico-legal reporting agencies like ours, it has been imperative to make sure personal data is secure, protected and used responsibly.
As a business, Premex Group, which is made up of 4 separate brands (Premex Services, Premex+, 3d Rehabilitation, ExamWorks Investigation Services) has always had personal data at the forefront of what we do. With the sensitive nature of the data we handle, we have always had strict controls which have been certified to the ISO 27001 information security standard.
We saw the introduction of GDPR as an opportunity to re-examine our existing processes and strengthen them further, completing a full audit of every system that is used for the processing of personal data across the Premex Group.
Understanding that one of the core objectives of GDPR was to provide data subjects with greater control over their personal data, it meant a key part of our work for the GDPR project was to provide end users with greater transparency and assurance over the use of their personal data.
Simple changes such as updating our privacy notices, designed to provide a clear understanding of who we are as a company and the way in which we will process personal data helped to make sure we are compliant. However these aren’t the only changes that we have made.
Premex Group has a clear focus and drive towards improved data security through complying with GDPR and also conforming to ISO 27001. Complementing this, Premex+ has recently appointed a Caldicott Guardian to strengthen our governance controls. You can find out more about the role of our Caldicott Guardian on the Premex+ blog here.
So what impact has GDPR had on the wider business world?
For most businesses the introduction of GDPR required a significant investment in time, effort and potentially even financial investment. This investment however is likely to be a drop in the ocean vs the potential fines that can be handed out for any breaches, which can be up to 4% of global turn over.
According to a recent survey commissioned by Marketing Week* there has been a mixed reaction to the introduction of GDPR. On the plus side, they found that 93% of people had heard of GDPR, and 39% saying that know a fair amount or a ‘great deal’ about the data law. 41% of people also believe that companies give them more control of their personal data than they used to.
Unfortunately for many brands however, 46% of people don’t think that GDPR has made any difference at all and 17% believe things have actually got worse over the past 12 months.
Whilst there has been mixed reactions to the introduction of GDPR, it has clearly been making an impact. The European Commission has reported the following figures**:
• 95,180 complaints have come from individuals who believe their rights have been violated under GDPR
• 41,502 data breach notifications where a company have accidentally or unlawfully disclosed personal data
So far there has only been a few major fines in accordance with GDPR. In May 2018 on the day GDPR came into effect Google, one of the world’s largest tech companies were reported to the French data regulator, CNIL. Following an investigation CNIL moved to fine Google €50,000,000 (£44m) for a breach of the GDPR regulations in the use of their ad personalisation.
Cases pre-dating GDPR, pursued under the Data Protection Act 1998 are also continuing to positively affect the enforcement of the new regulation. Cases such as the Morrison’s Supermarkets data breach have meant that companies have now been advised to insure themselves against claims and to implement technical safeguards to reduce the risk of future breaches. These types of cases are helping to inform and guide businesses such as ours in best practice and protecting personal data.
GDPR is still in its relative infancy, so it is likely that we will see more fines and sanctions as investigations into breaches and failures in process progress over time. At Premex, our Legal and Compliance teams are always keeping an eye on the ever changing landscape to maintain our position as leaders in our field when it comes to protecting personal data. In the meantime Premex Group will continue to develop new and improved processes, ensuring all personal data is protected to the highest degree.
*Marketing Week Commissioned Survey of 2,000 consumers conducted by Ipsos Mori - https://www.marketingweek.com/2019/05/20/consumers-gdpr-brand-experience/
**Figures based on May 18 - Jan19 - https://ec.europa.eu/commission/sites/beta-political/files/190125_gdpr_infographics_v4.pdf