GDPR Fifteen Months On
The General Data Protection Regulation (GDPR) has caused an evolution of the regulatory landscape in the EU and arguably worldwide. Almost fifteen months later, CareersinCompliance thought it was time to unpack GDPR’s impact and look the where the regulation is focussed next.
With the initial fear stemming from the possibility of €20 million fines or 4% of a company’s global turnover, aligning with GDPR guidelines cost large corporations an estimated £1.17 million each. Within GDPR’s initial eight months 59,000 GDPR breaches were reported with the United Kingdom, Netherlands and Germany listed as the countries with the highest reported breaches. Looking at the first year, there have been a reported 280,000 cases requiring investigation with telemarketing, promotional emails and video surveillance concerns relating to the majority of these complaints.
The Information Commissioner’s Office has not hesitated to prove they mean business, managing to grab headlines by slapping multinational companies like British Airways, Facebook and the Marriott with record breaking fines. British Airways received a hefty £183 million penalty for their breach when approximately 500,000 of their customer’s data was compromised. Smaller companies were not without penalty though, with several serious breaches receiving equally serious treatment. A Polish company is among those penalised having received a €220,000 fine in late March for their misuse of personal data.
“GDPR marked a sea change an organisations’ approach to privacy and data protection. Companies have integrated data protection into their governance structures and embraced the demands for accountability in GDPR,” said Trevor Hughes, CEO of the International Association of Privacy Professionals.
Looking at the big picture however it was predicted that fines would be 79 times higher than those seen issued in the first year. With the investigations required complex, lengthy and resource heavy, the monetary fines issued have not been on the scale anticipated. Whilst big fines have been awarded, the most significant penalties were only issued in the past two months.
GDPR has also seemingly been a catalyst for other global legislations outside of the European Union. The California Consumer Privacy Act (CCPA) is the next big regulation that will go into effect on January 1st 2020 and has been referred to as one of the United States’ most comprehensive data protection laws. Like GDPR, the CCPA looks to protect and regulate how companies collect and use data.
Looking forward, Elizabeth Denham, the UK Information Commissioner, sees the next challenge for compliance professionals to be operationalising and normalising their new compliance practices. Companies will need to move beyond baseline compliance by infusing strong accountability frameworks and avoid approaching compliance as a tick-box exercise. Whilst these huge fines and reputational damage initially caught board attention, ensuring compliance and data protection remain an ongoing board conversation poses a significant challenge for regulatory compliance professionals.
With the financially crippling penalties and reputational tarnish associated with a GDPR fine, the regulation has successfully reshaped the conversation around data protection. If nothing else, the regulation has brought data and privacy front of mind on a macro level and forced board attention.