Happy Birthday, GDPR
It’s been just over a year since the General Data Protection Regulation 2016/679 (GDPR) was enacted. Many called it a watershed moment for data privacy. We labeled it not a new mandate but rather a new normal.
With GDPR’s first year complete, what have we learned about the regulation’s impact? And to a larger extent, how has GDPR paved the wave for other data privacy regulations?
GDPR has impacted the way businesses around the world view data privacy. However, in terms of regulations, GDPR’s impact has been tepid. As one article put it, “compliance has been slow, enforcement has been lax, and organizations are finding that learning about data origin, residence and use can be hugely daunting and difficult.”
The fact that GDPR is enforceable by each EU country has led to inconsistencies. For example, in Italy, officials perform random audits for GDPR compliance while Sweden conducted an en masse audit to see if companies had appointed a data protection officer. Another inconsistency is GDPR fines. Many businesses around the world were concerned about GDPR fines up to $20 million and up to four percent of revenue. Most GDPR penalties to date have been much lower.
Despite its slow start and minimal regulatory impact, a DLA Piper GDPR data breach survey conducted in February 2019 produced an interesting finding. Over 59,000 personal data breaches were reported across Europe since the introduction of GDPR. The regulation gives organizations 72 hours from discovery of data breach to response, triggering breach notification. Compliance leads to greater accountability of data.
On the downside, we’re experiencing slow compliance and uneven enforcement with GDPR. On the bright side, breach notification is on the upswing, and it means companies are taking compliance seriously. That’s the good thing about growing pains. You outgrow them.
GDPR and big tech firms
GDPR pushed privacy onto the main stage with big tech in the spotlight. Facebook has made major changes to its privacy and data handling policies and CEO Mark Zuckerberg has declared the future is private.
Google is the bellwether company for GDPR fines. French regulators handed Google a $57 million fine for not properly disclosing to users how their data is collected and used for targeted advertising. Now Ireland’s Data Protection Commission has launched an investigation of Google’s personal data management practices.
Fines aside, big tech firms with their billions of users have helped generate public awareness of privacy. On GDPR’s first birthday, it’s well-deserved recognition for starting it all.
The next wave of privacy regulations
It’s looking more and more like GDPR is the first in a wave of new data privacy regulations. In the US, the California Consumer Privacy Act (CCPR) becomes effective on January 1, 2020. Eleven other states are drafting privacy legislation or in the process of passing data privacy regulations.
The privacy wave continues around the world. Brazil’s general data protection law takes effect in February 2020. Bahrain became the first Middle East country to pass a privacy law. Other countries are amending their data protection laws to mirror GDPR, including Bosnia and Herzegovina, Hong Kong, Ukraine, North Macedonia, Montenegro and Monaco.
No matter which privacy regulation your organization is required to comply with, the challenge is the same. How well do you know your data? Finding the answer, as previously stated, can be hugely daunting and difficult. Our best advice is strong governance with integrated processes makes planning for a new privacy regulation straightforward and orderly.
If a birthday is about celebrating an individual, it also applies to GDPR at the one-year mark of its enactment. In a very short time, privacy has become a global concern for the public and a challenge for the businesses of the world. GDPR at Year 2 could be just as surprising.
Learn about how HIPAA Compliance plays a role in protecting against cybercriminals.
Learn about Principled Performance: Why should your company pursue it?
Read about the GAO’s report on CRA oversight