It’s been almost 2 years since May 25, 2018 when the General Data Protection Regulation (GDPR) went into force in Europe and beyond. As it went into effect, the world struggled to prepare for the far-reaching legislation’s requirements, and many nations grappled with updating their own national privacy and security policies and regulations. One year later, “nearly a quarter of the world’s countries, 45 of the 195 recognized by the United Nations, currently have laws regulating how personal data can be used and more are coming.”
Although there has been a flurry of effort in organizations becoming compliant to the GDPR and great panic in some industries, the question is what has really happened during the GDPR’s first year in action? The dire pronouncements of fear surrounding immediate action and large fines for failure to meet the deadline have failed to be prophetic. But the ball has started rolling and it is gaining speed and size. The conservative estimate is that one year in, 95,000 complaints from individuals and organizations have been filed, including over 41,000 data breach notifications by companies (some report this number to be as high as 59,000), with most complaints related to telemarketing, promotional emails, and video surveillance/CCTV. Of those complaints, only about 52% have been concluded to date, leaving 48% still under review.
What Fines Have We Seen So Far?
As of March 2020, 256 fines have been reported totaling over €153,324,481, but not all are about data breaches. In fact, the €50 million ($57 million) fine handed to Google by the French Data Protection Authority in 2019 was due to “processing personal data for advertising purposes without valid authorization.” It is still the largest fine that has been issued.
After one year, the German Data Protection Authorities had already issued 41 fines, both large and small, for a variety of violations. In comparison, one year in, the small island nation of Malta had reportedly issued only 17 fines.
However, there was the belief that heftier fines were coming — and it has proven true. In February 2020, TIM (a telecom provider in Italy) was fined €27,802,946 for not following GDPR rules. Austria Post was fined €18,000,000 in October of 2019. And in the same month, Germany fined a housing company €14,500,000. Those are not the only large fines. But all the fines are not large. The smallest fine was only €90 issued to a hospital in Hungary.
What Can We Learn from The Fines?
The GDPR fines have revealed a few trends:
1 – Good behavior, cooperation, and demonstrable efforts toward compliance have helped reduce fine amounts so far.
2 – Skipping password encryption and access control matters will get you in trouble.
3 – The customer is king, as far as consent and transparency go.
4 – Fines are influenced by the location of the decision-makers, not the company’s HQ.
How Many Companies Are Still Not GDPR Compliant?
A year later, less than half of respondents to an International Association of Privacy Professionals (IAPP) survey indicated that their companies were still not compliant. This number hasn’t seemed to change much, not even with a growing body of regulation with which to comply. Remaining noncompliant is an increasingly risky and expensive proposition.
Perhaps the most interesting points might have been the surprise application of the GDPR for protection of the British Royal family, a use that no one had anticipated, and the claim that the GDPR has helped large tech companies like Google and Facebook.
What is increasingly clear is that the GDPR was just the beginning of a systemic shift around privacy and data regulation. The new regulation and change in approach do have benefits. Those companies who have complied with the GDPR and other regulations have stronger data protection, are rethinking processes, and are enhancing their reputation and relationships with their customers. Change can be good. Compliance can be powerful.
Article originally published May 29, 2019 —and was updated May 12, 2020.