What have we learned from one year of GDPR?
It has been almost a year since the European Union’s (EU) General Data Protection Regulation (GDPR) first came into effect. After many years of discussion and debate, the biggest change to data privacy laws in a generation was finally brought in on 25 May 2018 to protect consumer privacy in the internet age. It’s probably too soon to accurately assess whether it has been successful or not, but it has certainly been impactful.
Throughout the month (May 2019) we are going to be looking at GDPR in more detail. Starting with this review of the year since GDPR, we will also look at the next steps for organisations attempting to manage GDPR and bring you an exclusive ebook that advises on how the next phase of GDPR readiness should be approached.
The origins of GDPR
GDPR has reshaped the way in which data is managed forever, placing much more responsibility on those that hold data than ever before. It is also a truly essential piece of legislation. Since the EU last addressed data privacy more than two decades ago the internet has changed everything, from how consumers communicate to how they go about many of their daily tasks.
Data is generated with every click of a mouse or swipe of a tablet and the emergence of Internet-of-Things (IoT) devices will ensure that the volume of data keeps growing. Every piece of current and future data must comply with GDPR, so small undertaking.
Keeping consumer’s data private and secure is vital and the previous data privacy laws were nowhere near strong enough. So on 25 May 2018, GDPR finally came into law. EU consumers can extract their data from an organisation at any time they wish. Any organisation that holds EU citizen data must let people within three days if their data is hacked, and they also must allow people to erase or move their personal information immediately.
Data breaches and DSAR on the rise
Since 25 May 2018 there has been a sharp upturn in the volume of data subject access requests (DSAR). Perhaps unsurprisingly, the various European Data Protection Authorities (DPAs) have also had to manage more than 50,000 data breach notifications since 25 May 2018. The Netherlands has seen most data breach notifications, with Germany second and the UK just behind.
The UK’s Information Commissioner, Elizabeth Denham, gave a speech to the International Privacy Forum on 4 December 2018 stating that the Information Commissioner’s Office (the ICO) had received more than 8,000 notifications of data breaches since the end of May 2018. That is more than twice the volume (3,311 notifications) than in the period between 1 April 2017 and 31 March 2018.
Such a significant increase would suggest that the EU is taking GDPR very seriously indeed. But overall, there has been relatively little enforcement so far.
GDPR enforcement by DPAs
Most observers expected the EU and the different European DPAs to be relatively lenient when enforcing GDPR in the immediate months following May 2018. But in January 2019, people were shocked to learn that the French DPA (CNIL) had fined Google €50 million for a lack of transparency, inadequate information and lack of valid consent in relation to its use of personal data for the purposes of personalising advertisements.
People were shocked by the sheer size of the fine, but also the fact that it was Google, one of the largest and most powerful companies in the world. The CNIL justified the fine by declaring that Google would continue to infringe essential principles of GDPR – transparency and consent – and that the infringements were not a one-off, and were still on-going.
Google is yet to fully respond, but it was clear that a marker had been put down with regard to GDPR. Other fines have been made, in Germany and Portugal, but they have been much lower. However, the fact remains that various DPAs have shown they are not afraid to issue fines and it is likely that this will continue over the rest of 2019.
What next for GDPR?
It has been a highly eventful year since GDPR began and it is clear that the next 12 months will also be challenging, as organisations continue to get to grips with this important piece of legislation. Most firms are under way with GDPR, but it is a continuous process and few could say with certainty that they are completed protected.
It is to help such organisations that Oxial first launched its Oxial GDPR EXPRESS. It uses an automated approach to offer 100% GDPR compliance, the ideal platform for any organisation unsure of how best to approach GDPR. Furthermore, it can be up and running and working to full effect in less than 90 days, and delivers creates a framework to help ensure compliance into the future.
Such future-proofing is particularly important given the seriousness of GDPR and the fact that it will almost certainly change and evolve as time moves on. Now is the ideal time for any organisation to review and audit its current compliance plans and ensure they are ready for whatever GDPR asks of them next.
For details on the Oxial GDPR Express and how it can help with GDPR, please visit here. And stay tuned for our upcoming ebook which will offer five essential steps for addressing GDPR now and in the future.