In 2018, the GDPR was enforced for all EU countries. The legislation, designed for the data protection and privacy rights of EU residents, holds business owners responsible for the sensitive personal data they hold on their clients: names, addresses, right up to such information as sexual preferences – provided this is all relevant to the provided service.
The regulations are strict, and the associated fines are hefty – anything from €10million to €20million or potentially more for businesses with larger revenue.
They won’t be stopping any time soon, either. If you’re under the impression that GDPR regulations will disappear in the wake of Brexit, you might want to curb those expectations. With GDPR now enshrined in the UK’s Data Protection Act (DPA), it remains an enforced British law.
Not only this, but Britain’s departure will do nothing to quell the huge volumes of data that pass between EU states – which will all be held to the bloc’s strict regulations.
Between 28 member states and one year of GDPR, what exactly have the regulations achieved?
As far as cumulative fines, they’ve hit almost €56million in this first year alone – although that comes with a caveat – as well as 206,326 cases reported in the first nine months, according to a report by the European Data Protection Board. 31% of those were initiated by companies – who are obliged to report their own breaches within 72 hours of noticing – but an unfortunate 46% were investigated on the back of customer complaints.
In March, the International Association of Privacy Professionals held a panel in London to discuss the first year of the GDPR. Stephen Eckersley, the head of enforcement at the UK Information Commissioner’s Office (ICO) noted a “massive” increase in data breach reports, presumably spurred by the regulations’ strict rules on breach notification. He estimated that at its current rate of reports, the GDPR will see as many as 36,000 breaches voluntarily reported in 2019.
Mathias Moulin, a privacy protection lawyer at France’s CNIL regulatory body, took a more restrained view of this first year, which he refers to as a “transition year”. Vivienne Artz, Chief Privacy Officer at finance data firm Refinitiv, doused the celebrations further by noting that €50million of €56million in GDPR fines belonged to Google alone. This is due to CNIL’s accusations that Google withheld information on the full extent of its data consent policies and gave users little flexibility over how their data was used.
To the technical colossus that is Google, this fine is little more than chicken-feed. In the instance of the most egregious GDPR breaches, fines can reach up to €20million or 4% of a company’s annual global turnover – whichever is greater. Google’s lenient punishment has made up the vast majority of the GDPR’s fines, but it’s barely dented the company itself.
And this, it seems, will be the real battle once GDPR’s “transition” year comes to an end; enforcing fines proportionately. Large tech companies, each with their fingers in staggering amounts of our personal data, can take the minor financial hit and carry on with impunity – which is more than can be said for most enterprises.
As security experts and advocates, we at Mirus know that GDPR compliance can feel like a massive undertaking, but we also know the importance of keeping personal data safe and accounted for. In a year that saw several high-profile data breaches, harming both companies and individuals, the GDPR’s first impressions as a bureaucratic, box-ticking bore may have proven premature; data protection is becoming a more pertinent concern by the day.
Get in Touch Today for Cyber Security and Data Recovery That Protects Your Sensitive Data.
For data security and privacy that’s up to Government standards, Mirus IT are approved with the NCSC’s Cyber Essentials, Cyber Essentials Plus certificate and the IASME Gold Certification - so your data and ours is compliant and resilient.