If you had been listening to all the proclamations on May 25, 2018 when GDPR was to come into effect, you may have been surprised when it felt like any other Friday. GDPR came into effect quietly and no one was fined in all of 2018. Don’t take that to mean that European Data Protection Authorities (DPA) are not actively investigating potential violations. In fact, the UK’s DPA, the Information Commissioner’s Office (ICO), received 6,281 complaints between May 25th and July 3rd.
Ticketmaster’s breach of 40,000 customers in June 2017 is viewed as potential for the first large test for GDPR regulators. Names, addresses, email addresses, payment details and more were potentially exposed. GDPR has clearly defined all of those data attributes as needing to be properly protected.
Ticketmaster has placed the blame on a third-party vendor, Inbenta (with Inbenta putting out a press release also pointing the blame back at Ticketmaster). However, one key tenet of GDPR is that a firm is ultimately responsible for breaches or other violations caused by third-party vendors. Furthermore, Ticketmaster claims it discovered its breach on June 23, but did not inform the ICO until June 27. GDPR sets forth that a firm’s DPA must be informed within 72 hours, with fines for failing to report within that window being capped at the greater of 10MM Euros or 2% of annual global revenue. The ICO has yet to announce any enforcement actions against Ticketmaster.
Another point to keep in mind is that the ICO fined both Facebook Ireland Ltd. and Equifax Ltd. the maximum fine of 500,000 Euros, in October and September, respectfully, for their recent breaches. While the fines were issued after GDPR came into effect, both of those breaches occurred before May 25th, 2018. It should be fully expected that DPAs will be willing to assess GDPR’s maximum penalty of the greater of 20MM Euros or 4% of annual global revenue when warranted.
As we move forward in 2019, firms should, above all, have evidence of efforts to become fully compliant. DPAs made it clear that they understood that GDPR was a large undertaking and may not have expected firms to be compliant on May 25th, but they do expect you to make progress. And, their patience will eventually run out.
How do you become compliant? Firms must conduct a review now to determine if the GDPR pertains to their current business, and what steps are needed to become GDPR-compliant. This far-reaching regulation has impacts that are not obvious at first glance. Reviewing client lists and the data is the first step. To achieve GDPR compliance, firms must assess policies and procedures, controls, cybersecurity and technology to determine what changes are needed and how to best implement and monitor them.
