GDPR — Large Fines — Larger Confusion?
This May marked the one–year anniversary of the EU’s General Data Protection Regulation (GDPR), perhaps the strictest set of privacy laws to date. The regulation includes landmark consumer rights when it comes to data privacy, including right of access, broadened consent requirements, and the right to be forgotten. Since going into effect, the GDPR has caused a huge debate among business and cybersecurity experts. Where some herald it as a new dawn for consumer privacy, others consider it too big a burden for businesses.
So, one year in, how have things played out so far?
Breach Notification
Before the GDPR, the EU had no overarching laws requiring companies to report data breaches. Instead, it was up to individual member states to enact such laws. Since the GDPR, however, things have changed. According to the DLA Piper GDPR Data Breach Survey, nearly 60,000 breaches were reported between May 2018 and February 2019. These breaches ranged from minor, such as emails sent to the wrong person, to massive data dumps effecting millions of people.
Fines Imposed
The DLA Piper report also shows that 91 fines were imposed under the GDPR. According to the European Data Protection board, combined fines totaled £55,955,871. However, this number can be misleading. Included in that total is the £50 million fine imposed on Google this January.
Since those reports, however, there have been a number of even larger fines levied against companies. Just this month, the UK’s ICO proposed £183.39m fine against British Airways and a £99.2m fine against Marriott International for past data breaches.
Business Still Confused
At the same time, businesses (primarily mid-size companies) who want to comply but don’t have the resources of the large firms are having a difficult time keep up with the regulations and mapping out the right procedures to stay compliant. Just today, MSN published an article about a researcher convinced one in four companies to give him data on his fiancee (with her permission) to show that GDPR compliance attempts can actually lead to breaches in and of themselves.
Takeaway
This year has shown that, when it comes to consumer privacy, the GDPR is taking its role seriously and businesses are uneven in their ability to comply. But it’s still early days. French regulator Mathias Moulin emphasized in February that this “should be considered a transition year,” as lawmakers continue to nail down certain details of the new law and tie up loose ends.
While it seems the number of breaches reported and fines imposed will continue to increase, one of the big questions in the coming years will exactly effective these fines are in changing the culture around data privacy. Time will tell.