GDPR One Year On: What Have We Learned?
Businesses are comprised of different departments and professionals, with data flowing across the organisation. When there’s a data breach, it’s usually the data protection officers (DPOs), CIOs, and CISOs who take the brunt of the blame; however, since the introduction of the General Data Protection Regulation (GDPR), all staff are more responsible for data handling. The GDPR has brought in a unified approach towards data security management, increasing awareness among stakeholders at any organisation.
The GDPR came into effect on May 25, 2018, bringing more security to EU citizens’ personal data. Though this European data protection law has brought better security to end users, it’s left many businesses struggling to modify their personal data handling procedures. Businesses across the world have redefined their data management strategies to become GDPR-compliant in order to avoid huge penalties imposed on them for poor security frameworks.
However, the number of cyberattacks and data breaches haven’t gone down despite stricter data handling procedures. It’s been a year since the GDPR came into full force, and there’s still a lot of improvement that needs to be done in regard to personal data management.
What’s happened since the GDPR’s implementation?
The GDPR brought huge changes to organisations’ data collection, storage, processing, and disposal procedures; here are some interesting facts surrounding the introduction of the GDPR.
EU data protection authorities have registered a number of complaints since May 25, 2018. In the first month, there were over 10,000 complaints, and the number of complaints grew to 60,000 over the next six months, eventually hitting 95,180 complaints in January of 2019. All these complaints were filed by individuals who felt their rights under the GDPR had been violated.
Most of the complaints regarding GDPR compliance have been directed at telemarketing, promotional emails, and video surveillance.
Based on data breach norms, if organisations experience a data breach, they need to report it to the data protection authorities within 72 hours. Due to this, EU data protection authorities received 41,502 reports of data breaches through January 2019, and 5,000 in June 2018 alone.
Since May 2018, there have been 255 cross-border cases initiated by both national data protection authorities and European Data Protection Boards.
There are several active cases of companies significantly violating GDPR requirements that could cause fines of up to four percent of the offending company’s annual turnover, as per GDPR stipulations. As of April 2019, five hefty fines have been issued for breaching the law.
A German social networking company was fined €20,000 for failing to secure users’ data.
An Austrian sports betting cafe was fined €5,280 for unlawful video surveillance.
Google was fined €50,000,000 in France for lack of consent on ads.
The Polish data protection regulator levied a €220,000 fine on a Warsaw-based data analytics company for scraping the internet for data and not making the proper disclosures.
After a random audit, a taxi company in Denmark was fined DKK 1.2 million for failing to delete customer information.
The GDPR is directly applicable to all EU countries; as of April 2019, 23 member states have adopted the GDPR—all EU member countries aside from Bulgaria, Greece, Slovenia, Portugal, and the Czech Republic.
With over 300,000 media mentions in 2018, the GDPR received even more coverage than Mark Zuckerberg.
In May 2018, the GDPR was at the top of Google Trends—higher than any American celebrities.
What lies ahead?
Based on reports from the European Commission, as of December 2018, over 50 percent of regulated organisations are yet to become GDPR-compliant. Organisations need to become GDPR-compliant the old-school way by redefining their security strategy, identifying their data entry and exit points, as well as determining their data storage and management procedures. Generally, this takes a great deal of time.
However, with the proper data security and endpoint management tools, this overall strategy can be simplified, providing better visibility and security to users’ personal data.