It might be hard to imagine, but it has been three years since the General Data Protection Regulation (GDPR) was implemented on 25 May 2018. Time certainly does fly by when you are trying to protect data. Nevertheless, the term ‘GDPR’ has set a precedent on what is to be expected from organizations when it comes to protecting personally identifiable information (PII) of EU data subjects and has served as the foundational inspiration for many international data security regulations.
- 272.5 million EUR in fines have been imposed in Europe since the implementation of GDPR.
- More than 281,000 data breach notifications have been issued.
- The highest GDPR fine to date remains 50 million EUR which was imposed by the French data protection regulator on Google.
Looking at the regulation, can it be considered a success with what it was set out to achieve? The answer is not as straight forward as you may think. Going by news headlines, we regularly see businesses fined for non-compliance with significant penalties being levied. In the EU alone, over €30 million in GDPR fines have already been issued to organizations in 2021. But there is more to it than just the fines, and we cannot judge the success of GDPR by the number of those penalized.
Elevated awareness
GDPR was mandated to improve the security and privacy of individual’s sensitive data by those handling it. It demands transparency of the processes and its impact is visible, not just in Europe but around the world. It can be said GDPR has elevated the general public’s awareness of the fact they have a right to data security, which has been instrumental in building a culture of data privacy and protection. So much so, there are a host of countries that have either implemented, or are close to adopting, comparable data privacy laws including Brazil and the LGPD, USA and CCPA, New Zealand and the Privacy Act, Canada and the Digital Charter Implementation Act, South Africa and POPIA, etc. With sensitive information constantly crossing borders; data privacy, security, and data handling have become a global issue. GDPR brought that to the forefront.
When you break it down, GDPR has set the standard as to what organizations must do to keep PII secure, including what security technology is acceptable to implement in order to meet compliance effectively and efficiently. This might involve businesses investing substantial amounts of resources to acquire the necessary tools to achieve this, but it certainly outweighs the potential fines and reputational damage should a business be found non-compliant.
So, what does the future hold for GDPR?
In the relatively short time that GDPR has been in effect, it has already made a positive mark in this digital world. Other nations have taken note and as a result we are seeing similar data protection and privacy regulations emerge. This is forcing many enterprises, especially those that have an international presence, to consider processes and technologies that allow for cross-regulatory compliance because there are many similarities between these regulations in what they demand in data collection, handling, and processing.
Naturally, there will be developments in the regulation to ensure individuals are better protected and this will lead to evolutions in the data protection methods to help meet these requirements and make compliance easier. Indeed, the focus must shift to a data-centric approach whereby organizations protect the data itself rather than solely the perimeters around it. Consequently, this will lead to a great reduction in impact of data breaches and fines for non-compliance, because with data-centric security, even in the event of a breach, no sensitive data is left exposed.
So, three years on, can we say GDPR has guaranteed the complete safety of individuals and their data? Not completely, but it has certainly provided a solid base and EU residents have a better understanding of data privacy than they did before GDPR.
