GDPR: Year One
On Saturday, the EU’s General Data Protection Regulation (GDPR) crossed the one year mark, celebrating its first anniversary since it came into force on 25 May 2018. Today therefore we’ll be looking at its impact both in the EU and abroad and the milestones it has reached.
When it came onto the legislative scene in 2016, the GDPR created a far-reaching ripple effect that brought data protection into the public eye and onto legislative agendas the world over. It put EU data subjects first, giving them new rights to grant and revoke consent for the use of their personal information as well as to request its deletion or access to it. The GDPR adopted new concepts such as privacy by design and by default that had, until then, been mostly the talk of policy circles. And above all, it made companies, whether they were located in the European block or elsewhere, responsible in the eyes of the law for the protection of their EU customers’ data.
The GDPR’s adoption sparked a race for compliance among companies both in Europe and across its borders. They had only two years to align their data protection policies to the regulation’s requirements. Some managed to successfully implement their programmes by the time the GDPR came into force on 25 May 2018, but the majority failed to meet the dreaded deadline.
In a report released in July 2018 by Trust Arc, only 20% of the companies surveyed had managed to implement their GDPR compliance strategies at the time the regulation came into force. One year later, the GDPR’s central role in the development of a global movement for data protection legislation is unmistakable, while its consequences, in the form of steep fines, have begun to catch up with companies that failed to protect EU data subjects’ data.
One Year of GDPR in Numbers
An infographic on GDPR compliance and enforcement, released by the European Commission to celebrate the GDPR’s one-year anniversary, showed that 144,376 complaints have been lodged with national Data Protection Authorities (DPAs) under the GDPR. The most common complaints were related to telemarketing, promotional emails and CCTV surveillance. At the same time, 89,271 data breaches were notified to DPAs and 446 investigations relating to cross-border data processing activities were initiated, the majority following individual complaints.
Of the EU’s 28 member states, 25 have aligned their national legislation to the GDPR. The three holdouts, Greece, Slovenia and Portugal, are still working on integrating the new regulation into their national laws.
A study recently conducted by IAPP, also revealed that approximately 375,000 companies in 12 EU member states are documented as having registered data protection officers (DPOs) with DPAs. The number for the entire European Economic Area (EEA) is estimated to be higher, reaching as much as 500,000. These numbers are in stark contrast with the modest estimates for the number of DPOs that were being circulated prior to the GDPR’s enforcement. IAPP itself had predicted a conservative 75,000.
The GDPR has had a massive impact on international data protection legislation, partially due to its cross-border data transfer policy which forbids transfers of EU data subjects’ personal information across borders unless third-party countries have an adequate level of data protection in place. These adequacy decisions are made by the European Commission. While additional clauses that allow for cross-border data transfers under certain circumstances exist, such as prior consent given by the data subject or the use of Binding Corporate Rules (BCRs), most countries are looking to gain an adequacy decision to ensure a smooth flow of information between their countries and the European block.
Besides these considerations sparked by economic reasons, the discussions generated by the GDPR have brought the issue of privacy and data protection into the public sphere and helped existing draft regulations gain momentum and cross the finish line into adoption.
Countries, from Canada, the US and Brazil to Japan, India and Australia, have taken inspiration from the new standard set by the GDPR and adopted new legislation or updated their existing one to align it to the GDPR. And the ball is still rolling: the US is seriously debating a federal data protection law and countries like Thailand are set to join the increasingly long list of countries with a post-GDPR data protection law in place.
GDPR Fines So Far
One year on, the steep fines the GDPR gained much attention for have yet to be applied. Only France’s CNIL has taken the plunge and fined Google €50,000,000 for lack of consent on ads, a decision the tech giant is contesting. Other fines have been applied as well, most notably in Germany where 75 fines amounting to €449,000 have been imposed and in Poland where a data brokering company was fined €220,000 for failing to inform citizens that their data was being processed. However, no DPA has yet issued the maximum fine of €20,000,000 or 4% of a company’s annual global turnover.
The reason for it is simple. Many DPAs have opted to allow companies an initial period of adjustment in which they mostly offer organizations guidance so they can gain a better understanding of their new obligations under the GDPR. Most analysts now agree though that the period of lenience has come to an end and companies who will not take the GDPR and its requirements seriously, will do so at their own risk. Fines are expected to increase and multiply as DPAs will take the kid gloves off and use the full extent of their powers to enforce the GDPR.