The first year of GDPR started slow, but companies and regulators alike are picking up speed. Our new infographic shows GDPR’s first year by the numbers.
Unless you’ve been on a worldwide cruise for the last year (with no Wi-Fi), there’s little doubt you’ve heard of GDPR—the European Union’s General Data Protection Regulation. GDPR went into effect May 25, 2018, and severely affected companies’ ability to use, store, transmit, and process individual consumers’ data without their express permission. Now that GDPR is about a year old, let’s look at the state of compliance and what’s on the horizon for GDPR. Download the PDF, and read our analysis below.
If you’re involved with data privacy and security on behalf of a company, you’ve seen numerous stories about companies getting ready for the compliance deadline. Then there were all the stories about what happens if you’re not in compliance. But while all the buzz was over the top, the first year under GDPR was relatively quiet regarding activity to enforce the new regulation. Overall, May 2018 to May 2019 has mostly been a year of learning and continuing to ramp up to full enforcement.
Regulators have been taking their time looking into alleged violations. But more action is to come: With 18 investigations currently underway in Ireland by the Data Protection Commission, the lead regulator in the EU for Facebook, Google, and many other tech companies, the GDPR enforcement hammer is still in the process of coming down.
Even if you’re not working for one of the targets of Ireland’s 18 GDPR investigations, you ought to be aware of the travails of the unfortunate few who have been on the business end of GDPR enforcement so far. The first GDPR fine was €400,000 for a hospital in Portugal that allowed improper access to clinical files. At least 91 fines during the first eight months under GDPR ranged from small (€4,800 for a CCTV system in Austria that captured a public sidewalk) to large (French regulators hit Google for €50 million for using personal data inappropriately).
If you’re not 100% GDPR compliant yet, you’re not alone in getting fully onto the GDPR bandwagon. As of December 2018, 71% of companies were not fully compliant. Those numbers have improved only slightly since then, with at least 62% of companies still not fully GDPR compliant as of March 2019. And only 45% of IT executives claim to have a strategy for organization-wide encryption, which the GDPR calls an “appropriate” measure of data security.
There are signs of progress. For example, the frequency of data breach notifications has increased to two times the pre-GDPR rate. No doubt this doubling has been influenced by the requirement to notify data breach victims within 72 hours or face heavy fines. GDPR fines max out at either €20 million or 4% of a violator’s global gross revenue in the preceding year, whichever is higher.
Whatever happens in the next 12 months, nothing can be as deeply ironic as the scenario wherein 25 out of 28 official EU websites were found to be infected with advertising scripts to track visitors without their knowledge or consent. To paraphrase an old rhetorical question, “Who regulates the regulators?”