Today, on May 25, GDPR turns one. What progress has been made in data protection and what obstacles were blocking it? Find out below
One year ago this day, the General Data Protection Regulation, or GDPR, entered into force. Although the document had been in preparation for more than seven years, it was enacted right at the time when data privacy and consent issues were hitting the headlines due to the Facebook and Cambridge Analytica data scandals.
To mark one year since the implementation of the new legislation, PaySpace Magazine wants to tell you about the current state of GDPR compliance, the most significant legal proceedings to date, and new international GDPR-inspired data privacy rules. We’ve collected some remarkable statistics and experts’ opinions to give you a fuller picture of what impact GDPR has made after one year.
One year on: GDPR compliance
Almost two months after the implementation of the GDPR, 20% of European and US companies believed they already have been compliant, while three-quarters were going to be compliant by the end of 2018. Nevertheless, it will be wrong to say that now most of the companies providing services to EU citizens have reached full GDPR compliance.
At the beginning of 2019, another survey of general counsel and chief security officers in the FTSE 350 and Fortune 500 was conducted by law firm Paul Hastings. It found that only 43% of them were setting up an internal GDPR task force. Moreover, one of the key requirements for GDPR readiness is appointing a data protection officer, though only 29% of UK businesses and 18% of US enterprises have actually hired one. Still, 94% of FTSE companies believed they were ready for the GDPR.
We’ve reached out to international data privacy experts to hear first-hand their assessment of overall GDPR compliance and some insights on what impact the new regulation has on businesses.
As an IT management company specialising in compliance, GDPR has had an immense impact. Our clients, who are endeavouring and, I would say, trying harder than most, have struggled with achieving the level of compliance required by the law. Most are being more driven by the threat of cybercrime rather than criminal liability risks. Companies that have been hit by cybercrime are investing in their data systems, and its an opportunity to improve their GDPR credentials. We still find that key business owners are either oblivious to the risks or their responsibilities, and they are sceptical about what the IT industry says. They usually have to personally suffer a data issue or see a close business suffer before they will take action. We have seen more business fail in 2018 -2019 from cybercrime than business performance. Only the big issues tend to make the news, but smaller companies are being exposed to cybercrime all the time.
European companies are very sensitive to the GDPR. Their level of involvement may vary depending on whether they are subsidiaries or not. They first ensure that the compliance program is the one that is appropriate for their business.
Today, to say that all European companies are GDPR compliant would be wrong. However, we have noted a consistent commitment to compliance.
The main difficulties encountered are related to the determination of data retention periods and the limitation of the processing. In the absence of a clear national law, these elements can be left to companies to decide. Therefore, it is important that the compliance program be carried out in good faith. In other words, the program must be effectively implemented.
Today, compliance with the GDPR provides a competitive advantage for any company because it can ensure technical and organizational security measures are in place to protect the data collected. All these measures will determine whether the designated program is working properly in practice.
As hard as this is, in the coming years it will not be enough just to “work towards” GDPR compliance. Data privacy and security are becoming vital for businesses in all fields. Those who will fail to comply with the new data privacy policies can face not only resentment among partners and customers but also litigation and tremendous fines.
Major GDPR-related lawsuits
According to the European Data Protection Board’s recent report, there already have been more than 200,000 cases of breaches and complaints reported, and €56 million in fines issued. Today, we would like to remind you of the most significant GDPR lawsuits to date – the first one and the biggest one.
The first fine under GDPR
On 21 November 2018, the authority of the German state of Baden-Württemberg imposed a €20,000 sanction on the chat platform called Knuddels, making it the first company to be fined under the GDPR. It seems that the penalty was much smaller than it could have been, given the fact that the platform suffered the leak of 1.8 million user credentials and more than 800,000 email addresses. Moreover, it turned out that this massive data breach occurred due to inadequate data protection measures. In fact, the company was storing passwords in clear text, making them easy prey for hackers. However, this case shows that GDPR is there not only to punish for failures. Knuddels’ willingness to cooperate during the incident, as well as the fact that the platform itself has informed users and authorities about the breach, has played a key role in deciding the amount of the fine. The lesson learned: collaborative behavior and transparency do pay off.
The largest fine under GDPR
French data regulator CNIL fined Google €50 million for breaching GDPR. Yep, that’s right – from all €56 million in fines issued, the huge penalty of €50 million befell on a single company. The regulator stated that Google failed to explain properly how it collected users’ data and what for. Moreover, there were concerns about Google’s personalized ad targeting. Some might say, such a fine is not a problem for Google, as it is far from the statutorily authorized upper limit of €20 million or 4% of turnover, whichever is greater. In that case, Google would have to pay off roughly $3.6 billion. Anyway, the French privacy watchdog obliged Google France (whose turnover was €326 million in 2017) to make a payment.
GDPR-inspired data privacy rules
In May 2018, the State Administration for Market Regulation and the Standardization Administration of the People’s Republic of China introduced a new National Standard (in addition to the previous five) for personal data protection. The reach of the standards extends to any entity providing online services in the country. New standards have granted the authorities the right to inspect any company which operates online from a security and data protection standpoint. As well as GDPR, Chinese legislation requires companies to hire dedicated cybersecurity personnel, collect and store users’ credentials and data securely, and implement measures to prevent breaches and cyber attacks. At the same time, what distinguishes the Chinese law from GDPR is the fact that end-user in China has little control over their own personally identifiable information. The regulations basically put control over data in the hands of the government. That’s why businesses must not only take care of users’ data protection but also bear in mind that the data they collect can be searched or even seized at any time, without notice. However, the reports say some companies, including Alipay and Tencent Cloud, have successfully passed the certification based on the new National Standard.
India, which shows a steady growth of the tech industry and digital economy, has not resisted this wave of data security legislation renewal, as well. There are more than 500 million active internet users and India’s online market is second to China, so data protection concerns are inevitable for the nation. Last summer, authorities issued recommendations on data privacy and a draft of the new law called Personal Data Protection Bill, 2018. Legal experts say the draft bill borrows significantly from GDPR. The document grants Indians a number of rights, such as rights to access, correction, data portability, and the right to be forgotten. It also implies big penalties for noncompliance, and even for a company’s failure to respond timely to a data principal’s request. In addition, the draft bill introduces the concept of an annual data audit, which businesses should carry out through independent data auditors.
Although there’s still no federal legislation, California took a step in that direction, passing the California Consumer Privacy Act (CCPA), which goes into effect on January 1, 2020. This is the first US law inspired by GDPR. It is intended to facilitate the protection of consumers’ data and to give people control over their personal information. Like GDPR, the act requires companies to be accountable and transparent in terms of collecting and storing any personal data. Fines for companies found to be non-compliant may reach $7,500 per violation.
It is clear that federal privacy rules are of crucial need. Anyhow, CCPA is considered to be a good starting point, and, in the coming years, it may be used as a basis for future federal law. Legal experts believe that US society needs a GDPR analog reflecting American cultural and legislative specificities.
Of course, these three countries are just a part of the global GDPR-inspired movement. For instance, new laws or similar data policy changes have also been passed by Japan, Brazil, South Korea, Thailand, etc. It means that GDPR has given impulse to the development of wide and growing legal architecture in all parts of the world. And, what is also important, these changes are highly supported by global tech leaders, such as Apple and Microsoft. So let’s keep fine-tuning our data protection measures for the common good.