On May 25, the European Union celebrated the first anniversary of the enforcement of the General Data Protection Regulation (GDPR), the most important change in data privacy regulations in the last decade, designed to restructure the way in which personal data is handled across every sector (public or private) and every industry.
One year after the GDPR came into effect, we have looked at how companies are managing the adoption of the new, stricter data protection regulation. Do they know exactly what is required of them to achieve compliance? Are European citizens aware of their new rights? How are Data Protection Authorities (DPAs) handling the enforcement of violations and issue of non-compliant fines? Are fines really being issued? And how has GDPR affected other global data protection regulations?
The future of data protection
A year ago, the business world was filled with fear and doom-laden scenarios, mostly because of uncertainty about the requirements and obligations of GDPR. Some of that fear has diluted as companies have slowly started to decode and better understand the requirements of the new regulation. In fact, one of the primary benefits of GDPR enforcement has been the overall higher awareness of data privacy issues and the adjustment of best practices.
Stricter enforcement is around the corner
During the first year of the GDPR being in effect, DPAs in all EU Member States were very tolerant when it came to breaches of compliance, and they provided great help to many organizations in becoming compliant. Ahead of the regulation's enforcement, for example, the UK's Information Commissioner, Elizabeth Denham CBE, made it clear that the maximum penalties for breaching the regulations (£17m or 4% of turnover) would only be used in the most extreme cases.
Who didn't play ball?
Some organizations, however, did get hit with some rather hefty fines. Probably the most high profile, in January 2019 Google received a fine of £44m, from French regulator CNIL, for "lack of transparency, inadequate information and lack of valid consent regarding ads personalization", after complaints were filed against the tech giant by two privacy rights groups.
The grey area
As the adoption of data protection practices evolves, it will be interesting to see what happens to cases involving hacking, whereby a company has not deliberately shared its data. One German social media company was fined €20,000 for failing to secure its customers' personal details after a hack – it has been reported the company did not encrypt users' passwords, instead storing them in plain text and making them much more accessible.
GPDR's global reach
A lot of countries in Europe that aren't subject to EU legislations have adopted compliance regulations almost identical to the GPDR, including Norway, Switzerland, Iceland, Liechtenstein and the UK (in its preparation for a no deal Brexit).
So what lies ahead?
The enforcement of GDPR began a huge global shift for data privacy, creating political movements that are privacy agnostic and require more rights for data subjects, heavier penalties for companies and governments regulating the new rapidly advancing technologies.
Related content: Beyond GDPR, data protection around the world