It’s been a year since May 25, 2018 when the General Data Protection Regulation (GDPR) went into force in Europe and beyond. As it went into effect, the world struggled to prepare for the far reaching legislation’s requirements and many nations grappled with updating their own national privacy and security policies and regulations. Now, “nearly a quarter of the world’s countries, 45 of the 195 recognized by the United Nations, currently have laws regulating how personal data can be used and more are coming.”
Although there has been a flurry of effort in organizations becoming compliant to the GDPR and great panic in some industries, the question is what has really happened during the GDPR’s first year in action? The dire pronouncements of fear surrounding immediate action and large fines for failure to meet the deadline have failed to be prophetic. But the ball has started rolling and it is gaining speed and size. The conservative estimate is that 95,000 complaints from individuals and organizations have been filed, including over 41,000 data breach notifications by companies (some report this number to be as high as 59,000), with most complaints related to telemarketing, promotional emails, and video surveillance/CCTV. Of those complaints, only about 52% have been concluded to date, leaving 48% still under review.
What Fines Have We Seen So Far?
As of January 2019, 91 fines have been reported, but not all are about personal data. In fact, the €50 million ($57 million) fine handed to Google by the French Data Protection Authority was due to “processing personal data for advertising purposes without valid authorization.”
The German Data Protection Authorities have issued 41 fines, both large and small, for a variety of violations. The largest fine issued they issued was for €80,000. In comparison, the small island nation of Malta has reportedly issued 17 fines. Just recently, the Denmark Data Protection Authority issued its first fine to a taxi company for delaying the deletion of customer information. The fine amounted to €160,754, or 2.8% of the company’s annual revenue. This most recent fine gives strength to the belief that heftier fines are coming.
What Can We Learn from The First GDPR Fines?
The first year of GDPR fines have revealed a few trends:
1 – Good behavior, cooperation, and demonstrable efforts toward compliance have helped reduce fine amounts so far.
2 – Skipping password encryption and access control matters will get you in trouble.
3 – The customer is king, as far as consent and transparency go.
4 – Fines are influenced by the location of the decision makers, not the company’s HQ.
What GDPR Regulatory Cases Are Still Pending?
Many significant cases are still open and in line for review, including: British Airways, Marriott (the mega-breach), Microsoft, Instagram, WhatsApp, Apple Inc., Amazon, Netflix, Spotify, and 16 cases against Facebook. The fines against Facebook could be potentially $1.63 Billion and include breaches, issues with data processing and transparency as well as consent complaints.
There is concern that Ireland, due to its relationship with tech giants, may not hold these big firms as accountable as other nations might under the stringent new regulation. Considering that it’s the Irish Data Protection Commissioner investigating the 16 cases against Facebook’s data handling, that concern may have significant repercussions.
How Many Companies Are Still Not GDPR Compliant?
Even a year later, less than half of respondents to an International Association of Privacy Professionals (IAPP) survey indicate that their companies are still not compliant. With the trend indicating an increase in fines, remaining noncompliant a year later is a risky proposition.
Perhaps the most interesting points might be the surprise application of the GDPR for protection of the British Royal family, a use that no one had anticipated, and the claim that the GDPR has helped large tech companies like Google and Facebook.
A year into the new regulation, what seems clear is that the GDPR was just the beginning in a systemic shift around privacy and data regulation. The new regulation and shift in approach does have its benefits. Those companies who have complied with the regulation have stronger data protection, are rethinking processes, and are enhancing their reputation and relationships with their customers. Change can be good.
The GDPR fines in the first year were not as prevalent or as large as expected. The backlog of cases points to an increase in fines to come this year. Just about half of the organizations that need to be compliant are. However, the changes to privacy and data regulations are not over. With companies still working on GDPR compliance as well as different state and national requirements, there’s a new piece of legislation on the EU horizon: Strong Customer Authentication (SCA) under Payment Services Directive 2 (PSD2). File it under things to look forward to. Remember, change can be good.