It is the most significant change in data privacy regulations in the last decade in the EU and UK, designed to restructure how personal data is handled across every sector (public or private) and every industry.
One year after the GDPR came into effect, we have looked at how companies manage the adoption of the new, stricter data protection regulation.
- Do they know exactly what is required of them to achieve compliance?
- Are European citizens aware of their new rights?
- How are Data Protection Authorities (DPAs) handling the enforcement of violations and issue of non-compliant fines?
- Are fines really being issued?
- And how has GDPR affected other global data protection regulations?
Let's jump right into it.
The future of data protection
A year ago, the business world was filled with fear and doom-laden scenarios, mostly because of uncertainty about the requirements and obligations of GDPR.
Some of that fear has diluted as companies have slowly started to decode and better understand the requirements of the new regulation.
In fact, one of the primary benefits of GDPR enforcement has been the overall higher awareness of data privacy issues and the adjustment of best practices.
Stricter enforcement is around the corner.
During the first year of the GDPR being in effect, DPAs in all EU Member States were very tolerant when it came to breaches of compliance, and they provided great help to many organizations in becoming compliant.
Ahead of the regulation's enforcement, for example, the UK's Information Commissioner, Elizabeth Denham CBE, made it clear that the maximum penalties for breaching the regulations (£17m or 4% of turnover) would only be used in the most extreme cases.
Who didn't play ball?
Some organizations, however, did get hit with some rather hefty fines.
Probably the most high profile, in January 2019, Google received a fine of £44m, from French regulator CNIL, for "lack of transparency, inadequate information and lack of valid consent regarding ads personalization," after complaints were filed against the tech giant by two privacy rights groups.
The grey area
As the adoption of data protection practices evolves, it will be interesting to see what happens to cases involving hacking, whereby a company has not deliberately shared its data.
One German social media company was fined €20,000 for failing to secure its customers' personal details after a hack – it has been reported the company did not encrypt users' passwords, instead of storing them in plain text and making them much more accessible.
GPDR's global reach
A lot of countries in Europe that aren't subject to EU legislations have adopted compliance regulations almost identical to the GPDR, including Norway, Switzerland, Iceland, Liechtenstein, and the UK.
So what lies ahead?
The enforcement of GDPR began a substantial global shift for data privacy, creating political movements that are privacy agnostic and require more rights for data subjects, more massive penalties for companies and governments regulating the new rapidly advancing technologies.
Biometric data: EU and US privacy perspectives