First Year of GDPR: How Is It Working?

User Rating: 5 / 5

Star ActiveStar ActiveStar ActiveStar ActiveStar Active

The arrival of General Data Protection Regulation (GDPR) has put to test the organizations that collect personal data in the EU introducing a unified approach to data protection laws and standards. The new law came into force on May 25, 2018 to impose new ways of collecting personal data of EU citizens including customers, suppliers, and employees.

GDPR obliges organizations to ensure that personal data is collected legally, and enforces a set of measures against data abuse. As data collection is a new norm in the digital era, GDPR aims at delegating more power in the hands of ordinary consumers to protect their fundamental rights.

Privacy protection is a key element of customer confidence and a pillar of sustainable digital business development.Stéphane Nappo, Global Chief Information Security Officer at Société Générale

Almost one year after the strongest data protection mechanism came into full effect, there is still much to do for some companies to become GDPR compliant. In fact, it might take years to enforce the critical points of GDPR compliance mechanism.

According to the survey conducted by Cisco, only 59 percent of respondents are GDPR-ready as of January 2019. The study covers almost 3,000 participants in various countries around the globe including Germany, France, Turkey, USA and others. Another 29 percent expect to meet the requirements within a year. And only 9 percent of respondents claim that it will take more than one year to achieve GDPR compliance. Let’s find out what it takes to become GDPR compliant and what challenges are underway.

Enforcement awakens

New rules started to roll out accompanied by a significant boost in public response. The term “EU GDPR” stayed in the spotlight during the entire May, 2018 as many feared lest there be immediate action by regulatory bodies. Heavy fines that could go up to 4% of total revenue or, what’s worse, a €20m penalty to pay for violations definitely rang the bell for numerous organizations.

The first enforcement actions, as well as preliminary bans, weren’t long in coming. But in parallel with that, the regulatory bodies were also busy elaborating on the new aspects of EU GDPR e-privacy rules. It is no wonder many companies are still on their way to GDPR compliance due to the complexity of preparation stage. One does not simply follow an extended set of strict privacy-related rules overnight.

How business entities comply with GDPR regulations

Who is affected by GDPR?

Any company that processes EU consumers’ personal data both outside and inside the EU must comply with GDPR. The law also applies to US businesses if they sell their products to customers based in Europe. Any business unit that falls into this category should follow the changes as non-compliance is fraught with heavy penalties.

The new legislation was first announced in April, 2016 demanding that each affected organization undergo certain preparation before the deadline. However, many companies are starting to meet, or are already meeting, the new regulations directly.

Each EU member state was expected to prepare its local legal framework to combat country-specific challenges under the GDPR requirements. However, countries like Bulgaria or Portugal are still in the process of adapting their existing legislation to the GDPR rules. The GDPR first anniversary will meet some yet non-compliant countries in the EU that are only pushing their way towards GDPR-compliant privacy policy and certified protection of users’ rights.

GDPR introduced new mandatory role

The regulation requires that the data protection officer (DPO) carry out certain GDPR-specific activities. GDPR Article 37 refers to the DPO as an educator who is ready to share the best practices in data protection and ensure the ongoing training process for the employees. His or her other responsibilities include:
- handling reports on data breaches
- auditing company’s compliance
- informing about data protection requirements
- presenting data processing activities to the public, etc.

The position is to be introduced in any organisation regardless of its size, that deals with sensitive personal data. A prospective DPO may be appointed from internal or external resources, should have proper command of data privacy laws, and should have no other commitments in the organization. Strong decision-making qualities are required to report on non-compliance of the organization to supervisory authorities. The DPO acts as a mediator between the two.

GDPR is developing through its first year and it is critical for DPOs to keep up with the changes and proactively inform about them.

GDPR is developing

The European Data Protection Board (EDPB), a regulatory body responsible for GDPR application consistency, holds regular meetings where the future of ePrivacy and other critical issues are discussed.

A recent activity of the board is the adoption of Guidelines under GDPR Article 6(1)(b). The draft document focuses on defining the basis for “contractual necessity” and “a valid contract” in the context of online services. The guidelines instruct on how to identify if the data processing is objectively necessary or not.

Under the new regulation, data subjects can’t merely state that data processing takes place. The need for processing is to be stipulated expressly in the contract. Otherwise, it will not be granted a legal basis.

The Guidelines touch upon specific cases applicable to online services including personalisation and fraud detection. Data controllers will have to decide if there is an objective necessity for data processing and how this activity corresponds to the purpose of contract.

Furthermore, much is done to inspire public discussion on transparency issues in the digital advertising ecosystem. Under GDPR and ePrivacy Directive established almost a year ago, the Transparency and Consent Framework (TCF) was the only industry-specific solution that ensured compliance with new data protection norms.

In response to the trends evolving in the digital market and the urge for more transparency, IAB Europe together with IAB Tech Lab announced TCF v2.0 available for public discussion.

The new version introduces more legal options for publishers and consumers including the “right to object” with the help of TCF. Any user may question the “legal basis” for data collection following a certain set of procedures. Previously, one had to express their “right to object” outside TCF.

The first twelve months of GDPR show it’s ready to reflect on the feedback coming from the market and create industry-specific solutions. Despite its early years, GDPR proves to be consistent in combating data violation issues.

Penalties under GDPR

Several ongoing cases reaffirm that some companies haven’t prepared their resources to comply with the GDPR rules. The Municipality of Bergen has recently been fined €170,000 for just one file that was available for public use without authorization. Such a security breach was a result of poor investment in access management and countermeasures against security issues.

Actually, enforcement actions have been quite frequent since the adoption of GDPR. Among them are high-profile cases against industry giants. Google was imposed a €50m fine by France’s security regulator for failing to collect consent on personalized ads. Facebook is still under investigation by Ireland’s DPC (Data Protection Commission) as the platform is believed to have stored thousands of user passwords in a simple text format on one of its servers.

Rise in complaints to DPAs

Under GDPR, individuals are free to file complaints with the DPAs (Data Protection Authorities). According to a research by GDPR Today, an online hub that collects the latest GDPR news and statistics, the first 8 months of law enforcement led to a total of over 95,000 complaints filed with the DPAs.

Regulators record an increase in complaints throughout the EU. The data suggests that France and the Netherlands receive the most complaints from individuals. The former country’s national commission CNIL, France’s data-related regulatory commission, reports that there’s been a 50% jump in complaints related to data protection. Many claim that May 25, 2018 is a point of no return for companies willing to take advantage of users’ personal data. The new regulation has stirred public opinion to seek ways to combat for their individual rights using the mechanisms of GDPR DPA commissions.

Rise in data breach notifications to DPAs

The GDPR rules require that any data breach be reported to the local DPA within 72 hours. According to the latest estimates, the Netherlands, Germany, and Sweden have reported more often than the other EU members combined.

Despite the growing number of data breach reports, the number of actual penalties under GDPR is not so staggering. For example, in the United Kingdom the majority of fines were issued for data breach cases prior to GDPR inception. Overall, the national regulatory authority have closed almost 12,000 data breach reports as of May 25, 2018 to late March, 2019.

Lesson learned by US marketers

The effect produced by the latest GDPR news reports is widely felt in the US. The regulators confirm the CCPA (California Consumer Privacy Act) is set to reach the new standards this year. If the changes get the necessary approval, the approach to data privacy will revolutionize the US digital landscape.

New data protection laws reflect the global move to stricter cybersecurity regulations that can’t go unnoticed in the US. The GDPR first anniversary shows that it is better to avoid GDPR sanctions than put the company’s reputation and assets at risk.

Penalties expected to rise

Many claim that GDPR is still in its early years. The privacy regulation is expected to focus on all kinds of businesses including minor and high-profile cases. Experts claim that the use of precautionary measures in 2019 will be replaced with stiffer fines later on. The Cambridge Analytica scandal and other similar cases signal to the world that data abuse is no longer an issue to be neglected.