On May 25, the European Union celebrated the first anniversary of the enforcement of the General Data Protection Regulation (GDPR), the most important change in data privacy regulations in the last decade, designed to restructure the way in which personal data is handled across every sector (public or private) and every industry. Now that one year has passed since the GDPR came into effect, we’ve had a lot of questions arising such as how are companies managing the adoption of the new stricter data protection regulation? Do companies know exactly what is required of them to achieve compliance? Are European citizens aware of their new rights? How are Data Protection Authorities (DPAs) handling the enforcement of violations and issue non-compliant fines? How has GDPR affected other global data protection regulations?
GDPR’s story so far
On May 22, the European Commission published an infographic on compliance with and enforcement of the GDPR from May 2018 to May 2019. The infographic reveals some very interesting statistics, including:
- 67% of Europeans have heard of the GDPR
- 57% of Europeans know that there is a public authority in their country responsible for protecting their rights about personal data
- 20% know which public authority is responsible
- 144,376 is the total number of queries and complaints to DPAs
- The types of activities for which the most complaints have been made so far are telemarketing, promotional e-mails and vdeo surveillance/CCTV
- 89,271 is the number of data breach notifications
- DPAs have 446 open cross-border cases
- 25 EU Member States have adopted the required national legislation, but three are still in the process of doing so (Greece, Slovenia and Portugal).
The European Commission also issued a press release about the first year of GDPR enforcement, with Andrus Ansip, vice president for the Digital Single Market and Věra Jourová, commissioner for justice, consumers and gender equality, stating that “These game-changing rules have not only made Europe fit for the digital age, they have also become a global reference point.” And that “People are becoming more aware – and this is a very encouraging sign. New figures show that nearly six in ten people know that there is a data protection authority in their country”.
The statement also makes a bold declaration about work that the EU does for regulating future technologies stating that “The new law has become Europe's regulatory floor that shapes our response in many other areas. From artificial intelligence, development of 5G networks to integrity of our elections, strong data protection rules help to develop our policies and technologies based on people's trust.”
The future of data protection
A year ago, there was a lot of fear and doom scenarios across the business world, mostly because of uncertainty about the requirements and obligations of GDPR. Some of that fear has lessened as companies have slowly started to decode and better understand the requirements of the new regulation, and one of the primary benefits of GDPR enforcement has been the overall higher awareness of data privacy issues and the adaption of best practices.
Privacy and consent are obviously still big priorities for many organizations and as we are in a transitional year it is almost certain that DPAs will continue to issue increased fines and penalties. As a result, stakeholders must be educated on the nature of personal data that their organization handles and what needs to be done so they can comply with the regulation.
Stricter enforcement is around the corner
During the first year of the GDPR being in effect, DPAs in all EU Member States were very tolerant when it came to breaches of compliance and they provided great help to many organizations in becoming compliant.
In many cases, heavy fines have been handed out, however, stakeholders should be aware that there are other GDPR penalties besides fines, including the suspension of data processing. As we head into the second year of GDPR, DPAs will probably become less forgiving for violations in compliance, and organizations should expect an increase in sanctions and fines as we go forward.
GPDR influences data privacy discussions worldwide
A lot of countries in Europe that aren’t subject to EU legislations have adopted compliance regulations almost identical to the GPDR, including Norway, Switzerland, Iceland, Liechtenstein and the UK (in its preparation for a no deal Brexit). Likewise, some countries in Asia and Africa that have close relationships with Europe are redesigning their data privacy regulations, including South Korea and India. Other privacy legislations appear to be heavily influenced from GDPR, in giving rights of data subjects, data breach detection/prevention and accountability, like the California Consumer Privacy Act (CCPA) and the upcoming LGPD (General Law of Data Protection) in Brazil.
What lies ahead
The enforcement of GDPR began a huge global shift for data privacy, creating political movements that are privacy agnostic and require more rights for data subjects, heavier penalties for companies and governments regulating the new rapidly advancing technologies. Also, thousands of GDPR actions are currently under investigation and organizations should expect EU regulators to continue to chase instances of regulation violations.
GDPR has begun regulatory discussions to other countries as well, including the United States. Presently, the data privacy standards being discussed on a global level are not uniform, and organizations could find that they must comply with different privacy legal frameworks as well as face conflicts in legislations (especially if we are talking about multinational/multiregional organizations). In addition, the evolution of technology will certainly challenge even the best-prepared organizations and hugely increase their cyber risk.
For more information on how to achieve and maintain compliance, read Data Security Compliance and Regulations eBook.