GDPR – One Year On, A Complete Analysis by Astra Security
We have almost reached the GDPR milestone. One year ago, on the 25th May 2018, the General Data Protection Regulation came into effect. The most obvious question is, what all has changed since May 2018? It is high time that we discussed what has been the true effect of GDPR. And what businesses have learned over the past year? While it can not be totally denied that many businesses are still finding GDPR puzzling. Many have little understanding of what they should be doing or the effect it could have on them. Nonetheless, a lot has changed. Let us find in this article what.
Related article – Cookies all you need to know
GDPR Effect – The Reality
According to a survey of SMEs conducted by Hiscox in January 2019, 39% of SME respondents don’t know who GDPR is affecting. And, 9 out of 10 SME owners do not know the consumer's important new rights under GDPR.
The survey also reveals that more than half of SMEs are less aware of GDPR than when it was implemented. While, a huge 96% do not know what the maximum fine is for a breach. Nor do they know that it is a percentage of the business’s global turnover. It seriously highlights the issue that in reality, businesses have learned very little over the past year.
The Financial Impact of GDPR
The ICO (Information Commissioner’s Office) in the UK saw a rise in data breach complaints of 160% in just 6 weeks following 25th May last year. GDPR Report says that in the first few months of GDPR’s inception, DPAs (Data Protection Act) carried out exploratory investigations into businesses and a significant amount of leeway was offered to allow companies that were in breach of regulations to ‘get their house in order’. They offered guidance, made recommendations and lent a helping hand to businesses. But in recent months, that leeway has been taken away and there have been several heavy fines levied. For example, a Polish company was fined €222,000 due to failing to inform consumers that their data would be processed.
So far, 91 fines have been issued. Although some relate to personal data breaches, others are for different GDPR infringements. Most of the fines issued, in countries such as Portugal and Germany, have been low. However, the biggest fine levied to date was by CNIL, the French DPA, who issued a €50 million fine against Google in January 2019. This was due to a lack of transparency, information and valid consent in regard to their use of personal data to personalize advertisements.
With this level of financial penalties being levied on businesses, there isn’t a single business out there that can afford to switch off from GDPR. In the first few months of GDPR, many companies worked hard at meeting their new data privacy regulations. But in 2019, this seems to have tailed off. GDPR is not going away. Businesses really have to get back ‘on board’ the GDPR train and start looking at their responsibilities towards consumers rights.
GDPR in Europe
But it’s not just fines that businesses have to worry about. Recently in The Netherlands, their DPA has sanctioned their tax authorities for using the national identification number as part of the VAT return for self-employed people. The DPA said that using this number in this way had no foundation in law. Plus it could increase the risk of identity fraud. As of 1st January 2019, Dutch tax authorities are no longer allowed to use this number.
Moreover, fines have a big impact on a business, not just in financial terms but also in respect of reputation and trading. Businesses, also run the risk of being issued with a temporary, sometimes indefinite, processing suspension.
But it has to be noted that there are still a large number of businesses that haven’t been fined for not protecting customers’ data, according to a report published by the European Data Protection Board in February this year. In addition, many of the fines issued so far have been small and for some companies. This has been so insignificant that it barely had an effect. But it is predicted that this will change in the future – the transition period is definitely over.
GDPR Outside of Europe
One year on, GDPR is now affecting countries outside the European Union. California in the US and Brazil are currently bringing new data privacy laws into effect. Brazil’s LGPD (General Data Protection Law) will be implemented on 15th August 2020. It will include many of the GDPR data privacy principles.
Similarly, the California’s CCPA (California Consumer Privacy Act) will come into effect on 1st January 2020. However, many companies in the US are being advised not to wait until the new laws are implemented, particularly as consumer requests can go back as long as 12 months previous. The CCPA, although loosely based on the GDPR in terms of data subject rights, doesn’t have the accountability obligations included.
The US as a whole is working on developing a unified breach notification framework that they hope will be more effective that the current situation of different laws in different states. While this has its opponents, the success that GDPR has had in the increase in breach reporting is a clear indication that there is likely to be far more benefits to a countrywide policy.
To smoothen out the international data exchange waters, many more countries outside of the EU are starting to bring data privacy regulations into effect. Covering mainly data subject rights, accountability and data breaches as of now. In the coming years, this is likely to increase further and will mean that businesses will need to be much more aware of data privacy rights and regulations in countries worldwide.
Here are a few myths discussed by GDPR Coalition
Increase in Breach Reporting
Although 2018/19 has been considered a transition year when it comes to GDPR. At the International Association of Privacy Professionals panel in London in March 2019, the head of the UK’s ICO informed the panel that there had been a massive increase in the number of breaches being reported since the GDPR was implemented. By June 2018 alone, businesses had reported 1,700 data breaches.
This is estimated to increase to around 36,000 in 2019; that’s a 55% increase on the previous annual reporting rate. A GDPR Data Breach survey released by DLA Piper in April 2019 revealed that in Europe, almost 60,000 breaches were reported between 25th May and 31st December 2018. The survey also found that Germany, The Netherlands and the UK were the top three countries for breach notifications.
Since, it is not to be forgotten that the level of lack of awareness is still staggering. This could mean that the increase in data breach notification should be much higher.
GDPR: what next?
What is clear is that businesses can no longer put off to tomorrow what needs to be done today. Getting a handle on GDPR’s regulations is imperative to avoid the risk of being fined. Business owners need to be much more aware of consumer’s rights under GDPR and the steps they need to take in order to protect their personal data. They also need to ensure that their business is compliant and able to avoid data breaches; if not, they need to understand the reporting process. GDPR needs to be taken seriously, before it has a serious impact on the business.