GDPR. Four letters that have supposedly changed the way data security and privacy is viewed on a global scale. Now, two years on since the European General Data Protection Regulation (GDPR) was introduced on the 25 May 2018, can we honestly say there has been an improvement in the way data privacy and security is handled?
GDPR is classified as being a European law that protects the data rights of European citizens but extends to any organisation that collects, stores or uses EU citizen data. Failure to appropriately meet the necessary compliance guidelines will result in fines that could range in the millions being issued by the independent regulatory bodies that enforce GDPR. Every nation has one: in the UK you have the ICO, in Germany you have the BfDI, in France there’s the CNIL, and Italy has the DPA Garante.
Truth be told, it is unacceptable today if an organisation is found to be non-compliant. From the time organisations were first pre-warned about GDPR back in 2016, it has now been four years. That’s four years to assure compliance, ensure systems that store, use and collect data are secure, and have the necessary processes and policies in place to meet the GDPR standard. Yet, the constant barrage of data breaches being reported act as a perfect reminder that there is much work to be done to drill home the message.
Since its inception, there has been an increase in the number of data breaches, but this is likely due to the fact that organisations are now reporting more to the authorities – it helps that there is a 72-hour deadline for this to happen.
Yet, in the UK, it took over a year for the ICO to charge its first GDPR violator. A local London pharmacy was fined £275,000 (€307,762) in December 2019. The first fine to range in the millions was issued by Germany’s BfDI to one of the country’s largest internet and mobile providers, 1&1 Ionos. The penalty here was €9,550,000 after the company lacked sufficient protection for personal data and violated Article 32 of GDPR.
But the unwanted title of having the largest fine imposed under GDPR in Europe to date goes to Google, with French regulators CNIL enforcing a fine of €50m on the tech giant after it was found to have provided inadequate information to its users about data consent policies and restricting control on how data was used.
These are all substantial fines in their own rights and should be heeded as a warning by other businesses that are taking a nonchalance stance to GDPR compliance. Furthermore, there are a variety of ways companies have been found to be non-compliant. For organisations outside of the EU’s remit that are struggling to fulfil data security obligations, GDPR can also be used as a helpful guideline.
Aside from the obvious benefit of data security and privacy, GDPR has also allowed organisations to be more open and bridge communication with users as to how data is being leveraged to create a better customer experience. This is where trust between a brand and a customer can blossom. However, if a company suffers a breach and is found to have failed in meeting GDPR compliance, damage both financially and reputationally, can be almost irreparable.
Even though we are only two years into life with GDPR, the regulation has certainly highlighted the importance of the privacy and security of data today, and in this position, it can never be cast aside.