Today (May 25, 2019) marks the one-year anniversary of the European Union’s General Data Protection Regulation coming into effect. Now seems as good a time as any to take stock and assess what the GPDR has taught us.
Have companies embraced stricter data protection laws? Do companies know exactly what is required of them to stay compliant? Have Data Protection Authorities (DPAs) been putting their foot down when it comes to enforcement of non-compliant fines? Has the GDPR influenced other global data protection regulations?
GDPR Issues Have Been Identified
To be fully GDPR compliant requires constant, ongoing reporting and management, which for many companies still remains a roadblock. To do this necessitates either manpower or financing, or both. Finding people with the right GDPR knowledge is a challenge, and many organizations don’t have the financial capabilities to hire data protection teams or a data protection officer.
Evidence also suggests that many companies still are unsure about whether they are GDPR compliant. Security and IT teams have struggled to engage the rest of the organization when it comes to enforcing policies and practices. Employees on the front lines appear to be one of the biggest stumbling blocks to both security and compliance.
The Board Still Struggle With GDPR
With data security and privacy becoming more of a pressing concern amongst the general public, you would expect this to translate to action from the board. The evidence suggests the contrary.
The talk of huge sanctions and fines for non-compliance were enough to get the board interested in the run up to May 25, 2018. However, as talk of GDPR has decreased during its first year in action, it has been significantly more difficult to keep it at the forefront of the conversation.
Stricter Enforcement is Coming
Throughout the first year of the GDPR being in effect, Data Protection Authorities were fairly lenient when it came to breaches of compliance. In fact, for many organizations, DPAs were extremely helpful in becoming compliant, offering practical advice in how to avoid non-compliance. Companies were almost allowed to be breached during this time so that DPAs could demonstrate what non-compliance to GDPR looks like.
However, this is not to say that fines haven’t been handed out, as you’ll see in a minute. It’s also worth noting that heading into the second year of the GDPR, expect DPAs to far less forgiving for breaches in compliance. The grace period is most certainly over. Expect a large increase in sanctions and fines as we go forward.
Fines Are Being Handed Out
Enforcement of the GDPR has taken place across numerous countries and industries. Some internet giants have seen fines that, in terms of their revenue, probably didn’t hurt as much as that scary €20 million maximum fine would have.
We have also seen examples of smaller companies being penalized quite significantly. A Polish company was fined €220,000 for failing to inform individuals that their data would be processed. This fine was significant as it was the first fine that had ever been issued by the Polish Personal Data Protection Office.
Companies must also be aware that there are other GDPR penalties besides fines, including suspensions of processing. The Dutch DPA sanctioned the country’s tax authorities for using national identification numbers as part of the VAT return number for self-employed individuals. This is an obvious unnecessarily dangerous act that increased the risk of identity theft. Other similar sanctions have been felt elsewhere as well.
GPDR Influences Compliance Worldwide
Countries in Europe that aren’t subject to EU law have nonetheless adopted compliance regulations almost identical to the GPDR, including Norway, Switzerland, Iceland and Liechtenstein. Similarly, countries in Asia and Africa are seeing a general increase in the strictness of data privacy regulations, including South Korea and India.
The much talked about CCPA in California appears to borrow heavily from the GDPR, as does the upcoming LGPD in Brazil.
Most commonly, compliance regulations seem to be replicating aspects of the GDPR when it comes to the rights of data subjects, data breach detection/prevention and accountability.