At 2Checkout, we recently celebrated the first anniversary of EU’s establishment of the General Data Protection Regulation. It was a good opportunity to reflect on its impact on business, test our data protection knowledge with fun quizzes, and eat some delicious cupcakes in the process. 😊
What has been the impact of GDPR since May 25, 2018, though? What has it brought for organizations and individuals and where are businesses today on their GDPR compliance journey? Let’s have a look at the evolution and consequences of the new data protection regulation over the last year and try to predict what comes next.
GDPR by the numbers
In April of 2018, about 40% of companies thought they would be GDPR-compliant by the 25th of that May. Today it is estimated that 50% of companies are still in the process of becoming compliant, with all the necessary organizational and procedural changes forecasted to take another two years to fully implement.
All in all, the year since the GDPR’s entry into force has been a bit of a mixed bag. On one end of the spectrum, many companies have given adequate attention to compliance and hired Data Protection Officers (DPOs) to help them put the regulation into practice. According to IAPP research, an estimated 500,000 organizations have registered DPOs across Europe. The roles of DPOs in Europe and the number of European DPOs is comparable to the number of privacy professionals in the United States.
On the other end, despite updating their privacy policies and giving users somewhat more control over their data (at least on paper), many organizations have made only skin-deep changes to the way they gather and process personal data. While they confronted users with an endless stream of opt-in emails and website pop-ups about cookies, the underlying compliance mechanisms are still undergoing development in a lot of companies. The sharp and constant rise in the number of data privacy and protections complaints received by Data Protection Authorities (DPAs) since GDPR stands as proof.
Data Privacy Complaints
There have been over 144,000 individual complaints received by DPAs under GDPR, since May 25, 2018. Those complaints have included access requests, the right to be forgotten, unfair processing, disclosure, and unwanted marketing or employee privacy, with most of the complaints relating to three main types of activity: telemarketing, promotional emails, and video surveillance/CCTV.
There have also been 440+ cross-border complaints, mostly related to the exercise of the data subjects’ rights, of which at least 45 were initiated by supervisory authorities from 14 different EEA countries using the One-Stop-Shop cooperation procedure for cross-border cases. The incidence of cross-border complaints points to an increased awareness among European citizens about their data privacy and protection rights.
Nevertheless, the number of complaints has not led to many enforcement actions against the infringing organizations, with relatively few punitive measures being imposed. We’ll come back to that later.
Data breach notifications
While the enforcement of GDPR has been somewhat timid in this “transition year,” the requirement for organizations to report any personal data breaches to their national DPA within 72 hours becoming aware of the breach has had a much more visible, positive impact. More than 89,000 data breach notifications have been received by DPAs across the EU since May 2018. In some countries, the number of annually reported breaches literally doubled in the months after the introduction of GDPR.
Prior to the existence of this requirement in the GDPR, many EU companies never reported data breaches. What’s more, there were wildly differing laws regarding data breaches across member states, which meant that many people would never be aware of their personal data being compromised. The GDPR has replaced all of those disparate pieces of legislation with a single rule – a data breach should be reported within 72 hours both to the affected individuals and to the relevant Data Protection Authority – while also establishing a single common definition of what constitutes personal data. Organizations are therefore much more inclined to disclose data breaches, which allows people to take steps to protect their personal information and will help authorities identify, track, and hopefully better tackle cybersecurity threats in the future.
GDPR enforcement and guidelines
Throughout the last year, regulators have focused on helping organizations become compliant with the GDPR by providing detailed and clear guidelines for implementation. The guidance framework provided so far by European Data Protection Board (EDPB) has dedicated sections for:
- personal data breach notifications
- Data Protection Officers’ roles and responsibilities
- Data Protection Impact Assessments (DPIA)
- the Lead Supervisory Authority.
However, while the EDPB’s first report on the implementation of the GDPR highlighted an increased number of complaints and data breach notifications, enforcement of the GDPR has been lacking. So far, €56 million in fines has been imposed on organizations for GDPR breaches, but €50 million of that sum comes from a single fine levied by the French Data Protection Authority (CNIL), at the beginning of this year for infringement of consumers’ right to be informed of and consent to the collection and processing of personal data.
Another more significant fine (€220k) was imposed in March, 2019 on a Polish company, while the Dutch DPA has even suspended the data processing activities of their country’s tax authority and national land register, for GDPR violations. Such high-profile cases notwithstanding, most companies are still not being fined for GDPR non-compliance, and the few fines that are imposed by DPAs are still rather small, in the grand scheme of things.
The future of GDPR
Even though its implementation so far has been hit-or-miss, the GDPR will have wide-ranging consequences all over the world. Since almost any organization whose activities involve EU citizens must comply with the GDPR, no matter where in the world the organization may be established, the regulation’s impact will continue to grow. Already in Europe, Switzerland, Norway, Iceland, and Liechtenstein have amended their data protection legislation so that it almost mimics the GDPR. The California Consumer Privacy Act of 2018, Brazil’s General Data Protection Law (LGPD), and India’s Draft Personal Data Protection Bill 2018 (PDPB) have also been significantly influenced by the GDPR, particularly in what concerns the rights of the data subjects, transparency, data breaches, and accountability.
Furthermore, the European Data Protection Board has published draft Guidelines on the territorial scope of the GDPR which, once finalized, will help non-EU organizations determine which of their activities falls under the scope of GDPR and how they should ensure compliance with regard to the processing of EU citizen’s personal data.
Nevertheless, while the “transition year” has brought increased public awareness about data protection rights and encouraged transparency around data breaches, much more remains to be done to ensure organizations’ full compliance. Organizations should stay focused and continue their work to ensure GDPR compliance, embracing data protection in design phases, as they keep up with the technological change. Concurrently, the EDPB and Data Protection Authorities must do more to harmonize the way they calculate penalties for non-compliance and enforce the GDPR much more effectively.
Other GDPR Resources
If you need more info about how you can ensure your business is GDPR-compliant, you may also check out our resources below:
- GDPR Compliance for Software & SaaS Companies – Practical Checklist: Part 1
- GDPR Compliance for Software & SaaS Companies – Part 2
- 5 Tips for a Transparent and Compliant Privacy Notice