How is GDPR Changing the Data Privacy Field?
After 2017 being named the Year of the Data Breach in the cybersecurity field, it was about time for 2018 to become the Year of Data Privacy Regulations.
Although the number of data breaches did not show a decrease this year, with a global trend towards stronger privacy protections and greater data transparency, 2018 marks a significant milestone in terms of data regulation. It has also highlighted that cybersecurity standards are evolving and security is becoming an ever more important topic.
GDPR Deadline: Come and Gone?
The General Data Protection Regulation (GDPR) brought the most important change in data privacy regulation in the last 20 years and it was certainly among the buzzwords of 2018. May 25 signified an important day not only for European companies, but it had an impact on how businesses operate worldwide. The reason behind this is that GDPR rules apply to all organizations that handle data from EU residents, regardless of the organization’s location or where the data is processed. The regulation marks the beginning of a more privacy-friendly world and it started to serve as a model in the collection and processing of personal data on a global scale.
After May 25 the level of interest towards GDPR has seemingly dropped, but reports issued by privacy watchdogs continue to prove that there has been a sharp rise both in the number of privacy complaints and breach reports. Some Data Protection Authorities are overwhelmed with complaints, this being especially true in the case of the UK and France.
According to the Information Commissioner’s Office (ICO), in the UK the number of self-reported data breaches has increased by 29% – from 2,447 last year to 3,156 this year, while France’s CNIL data protection agency has received 64% more complaints between May and September compared to the previous year. The first complaints were filed on the day the privacy law took effect across the EU, against no other than Google, Facebook and its subsidiaries, Instagram and WhatsApp. The raising numbers clearly show that GDPR has moved from concept to reality and that there is a heightened awareness among citizens and businesses regarding data security and privacy.
GDPR Compliance: Still a Point of Concern
On the day GDPR went into effect the majority of companies – including some of the giants – were not (fully) compliant with the regulation. More than seven months have passed since the enforcement and studies show that the compliance rate is still far from reaching 100%, with some businesses failing to meet even the essential requirements. Although the regulation took effect after a two-year transition period, many companies faced challenges in implementing and enforcing privacy regulations, due to lack of knowledge, shortage of skills and budget, or difficulties in understanding their data inventory. With non-compliance the risks are not limited to steep financial penalties; the firm’s reputation could also be damaged.
There are two tiers of administrative fines under GDPR that can be levied:
- Up to €10 million, or 2% annual global turnover – whichever is higher. Level-one fines are applicable when a company fails to provide an inventory of processing activities, does not cooperate with the Supervisory Authority, or does not communicate about personal data breaches.
- Up to €20 million, or 4% annual global turnover – whichever is higher. Level-two fines are applicable when a company fails to demonstrate compliance with basic principles like applying fair conditions for consent, does not process personal data for legitimate purposes, fails to respect rights of data subjects, or transfers personal data to a recipient in a third country without safeguards.
The amount is determined using a set of criteria which includes the nature of the infringement, the preventive measures, the number of people impacted, data type, cooperation with the supervisory authority etc. Firms should be concerned about reputational damage as well, as it could result in losing customers’ trust in the long term.
GDPR Fines: On the Way
After GDPR has come into effect, regulators did not hurry in applying the penalties, despite the high volume of complaints. The European Union’s data protection supervisor, Giovanni Buttarelli said the first GDPR enforcement actions were on the way.
“I expect first GDPR fines for some cases by the end of the year. Not necessarily fines but also decisions to admonish the controllers, to impose a preliminary ban, a temporary ban or to give them an ultimatum”, mentioned Buttarelli told Reuters in an interview.
Enforcement appears to be ramping up significantly and the first sanctions have recently arrived. The first case was that of the Portuguese Hospital of Barreiro Montijo, which received an EUR 400,000 fine for failing to restrict access to patient data stored in its patient management system. The Austrian Data Protection Authority (Datenschutzbehörde) levied the second fine, sanctioning the owner of a retail establishment with EUR 4,800, for reportedly installing surveillance cameras that recorded a significant portion of public pavement beyond their business premises. In Germany, a social network website received a fine of EUR 20,000 from the Baden-Württemberg Data Protection Authority, after a hack that resulted in leaking about 808.000 email addresses and over 1.8 million usernames and passwords.
The Butterfly Effect of GDPR
While it occupied most of the spotlight and has changed cybersecurity standards, GDPR has also fueled the appearance of data protection laws on a global level, including Brazil and California. The California Consumer Privacy Act was signed on 18 June 2018 and will take effect on January 1, 2020. In Brazil, the data protection law, Lei Geral de Proteção de Dados (LGPD) was signed a few weeks later, on 12 August 2018 and will go into effect on 15 February 2020. November 1 marked the coming into force of the new Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada, intended to assist organizations in complying with the mandatory breach reporting and record-keeping requirements. The Australian parliament has also been doing some due diligence to update its privacy regulations to get a little closer to the EU.
Without a doubt, compliance and data breaches will continue to have a big impact in 2019, as GDPR has been a catalyst for increased awareness both from regulators and the general public.