The General Data Protection Regulation (GDPR) turns 5 on May 25th. It is one of the most impactful laws active in the European Union and it is regarded as the gold standard globally.
We wanted to take a minute and look back at how it has changed businesses, public and private affairs and note some of the most important moments in the timeline since it came into effect in 2018.
The GDPR was adopted in 2016 as a replacement for the long-outdated Data Protection Directive of 1995. Its purpose is to govern how the personal data of EU citizens is collected, processed and stored by any entity that must adhere to the requirements of the law such as privacy by default and by design, mandatory breach notification, technical and organizational security measures to protect data.
Technology has had a massive, previously unpredictable impact on a global scale and private data was no longer manageable using rules set in the initial phases of the world wide web.
The regulation grants EU citizens extended rights in controlling and accessing their data, such as the right to be forgotten, data portability or the right to rectification.
Since its adoption across the entire EU, the GDPR has been constantly reinforced, coming to a point where the penalties and potential risks of non-compliance have reached a peak that is expected to be exceeded in coming years.
The fines in numbers
There are two levels of applicable fines for non-compliance. A lower level that is up to €10 million, or 2% of the worldwide annual revenue from the previous year, whichever one is higher. A second, higher level increases the maximum amount to €20 million, or 4% of the annual worldwide revenue, again prioritizing the higher option.
The European Data Protection Board, EDPB, has released a guideline on the calculation of administrative fines under the GDPR that is currently under public feedback.
GDPR fines have been a hot topic ever since the adoption in 2018. But they received massive public attention in 2021, when the Luxembourg National Commission for Data Protection, CNDP, issued a record fee of €746 million ($888 million) to Amazon.
Data protection supervisory authorities across Europe have issued a total of a total of €1.64bn ($1.74bn/£1.43bn) in fines since January 28th, 2022, according to the report published by the international law firm DLA Piper. This means a YoY increase in aggregate reported GDPR fines of 50%. The report also includes an analysis of the personal data breach notifications, which have seen a decrease on last year’s total of nearly 120,000. Since January 2022, regulators received approximately 109,000 personal data breaches notifications.
On average, the actual fines referred to the European Data Protection Board (EDPB) during 2022 for a ruling show an increase by 630%. More precisely, the total number of fines to date (May 2023) has reached 1640, totaling an amount of over €2.7bn.
How do organizations invest in data protection?
The main takeaway about investing in data protection is that compliance is only part of the equation. As it has gradually become a part of everyday life in Europe, the GDPR has increased the general awareness about the need to protect sensitive, private information. Consequently, organizations that are looking to build a trust-based relationship with their customers are most often the ones that are investing in and maintaining a solid data protection program. This acts as a reassurance for customers, who are at ease about their private information, but it is also the safest way to avoid financial damage due to fines and a tarnished reputation.
There’s no straight answer to what is the safe amount that should be allocated for GDPR compliance. There are many variables to consider, including company size, industry data and processing activities, data transfers or security risks.
According to the Ten Thousand Commandments 2022 report the limited available U.S. federal government data and reports, and contemporary studies show a "placeholder estimate for regulatory compliance and economic effects of federal intervention of $1.927 trillion annually".
New privacy shield after Schrem II
Another widely debated subject has been the effect of GDPR on data transfers and the implications, especially after Schrems II in July 2020. The EU-US Data Protection Shield, used by many companies as a data highway between the EU and the U.S., was invalidated.
In November 2020, the EDPB released a set of guidelines that cover technical measures organizations can implement to ensure a compliant data transfer. Negotiations between the EU and the U.S. intensified in 2021, and although it is considered a sensitive issue, on March 25th, the U.S. president and the European Commission President announced an “agreement in principle” without providing further details.
While there is still more to come in regards to future EU-US data transfers, the European Commission and the U.S. government's "Trans-Atlantic Data Privacy Framework" is meant to foster trans-Atlantic data flows and is yet to be translated into legal documents. Via this framework, a free and safe data flow between the U.S. and participating U.S. organizations is desired. The goal is to have a new set of rules and binding safeguards that limit access to data by U.S. intelligence agencies.
Other data protection laws that have been adopted
According to Gartner, by 2024, 75% of the world's population will have its personal data covered under modern privacy regulations. In addition, Gartner predicts that the average annual budget for privacy spent by large organizations will exceed $2.5 million by 2024.
And the latest privacy acts adopted support this statement:
- U.S. states, Virginia and Colorado, followed in the footsteps of California and passed data protection laws. Thus, the Virginia Consumer Data Protection Act (“Virginia Act”) became effective on January 1st, 2023 and the Colorado Privacy Act (“Colorado Act”) will come into effect on July 1st. At least twelve other states are working on setting their consumer privacy legislation.
- China passed the Personal Information Protection Law (PIPL) which came into effect on November 1st, 2021.
- Saudi Arabia and UAE have adopted their first standalone personal data protection law.
- Thailand’s Personal Data Protection Act became fully enforceable on June 1st, 2022.
- The new version of the Network and Information Systems Directive (NIS2 Directive) came into force on January 16th, 2023. Also, the European Data Governance Act is fully in line with the EU principles, entering into force on June 23rd, 2022. Following a 15-month grace period, it will be applicable from September 2023.
- The European Union still has in proposal other data protection laws such as the ePrivacy Regulation.
- The Data Protection and Digital Information Bill, which aims to simplify the UK GDPR, is stuck at second reading. The bill had its first reading in May 2022.
- In addition, a major legislation to watch out for in 2023 is the Data Act. This will control the unauthorized use of data produced by the Internet of Things. The Artificial Intelligence Act will include standard contractual clauses for supervisory authorities over data generated by AI.
- Ireland dominates the top ten largest fines and is at the top of 2023’s country league table for the aggregate fines imposed to date. The number of fines totals more than €1.0bn ($1.06bn/£0.87bn).
- With the introduction of ChatGPT on November 30th, 2022, by OpenAI, data privacy and security concerns have been raised. Thus, on March 31st, 2023, Italy’s data regulator Garante temporarily banned ChatGPT over violations under the GDPR. Other countries such as France, Germany and Ireland could soon follow in Italy's footsteps.
What the future has in store
The publication of the new guidelines by the EDPB and national authorities has created a mixed landscape. On the one side there are companies still struggling with compliance, having difficulties in getting things right. On the other hand, it is impossible to deny the effects on improved security practices.
From what we’ve seen so far, the issue of GDPR compliance is massively simplified when companies develop a data protection and security first mindset. It is clearly an ongoing process and in the ever changing landscape, organizations must continuously adjust their processing activities, procedures and security. With so much at stake, we can assume that sometime soon things will stabilize and compliance to data protection guidelines will have become business as usual globally. If you want to assess your level of GDPR compliance or have any data security related issues or questions, send our Security team a message and put your mind at ease about this sensitive issue.
Share via:
