The General Data Protection Regulation (GDPR) turns 4 on May 25th. It is one of the most impactful laws active in the European Union and it is regarded as the gold standard globally.
We wanted to take a minute and look back at how it has changed businesses, public and private affairs and note some of the most important moments in the timeline since it came into effect in 2018.
The GDPR was adopted in 2016 as a replacement for the long-outdated Data Protection Directive of 1995. Its purpose is to govern how the personal data of EU citizens is collected, processed, and stored by any entity that must adhere to the requirements of the law such as privacy by default and by design, mandatory breach notification, technical and organizational security measures to protect data.
Technology has had a massive, previously unpredictable impact on a global scale and private data was no longer manageable using rules set in the initial phases of the world wide web.
The regulation grants EU citizens extended rights in controlling and accessing their data, such as the right to be forgotten, data portability, the right to rectification.
Since its adoption across the entire EU, the GDPR has been constantly reinforced, coming to a point where the penalties and potential risks of non-compliance have reached a peak that is expected to be exceeded in coming years.
The fines in numbers
There are two levels of applicable fines for non-compliance. A lower level that is up to €10 million, or 2% of the worldwide annual revenue from the previous year, whichever one is higher. A second, higher level increases the maximum amount to €20 million, or 4% of the annual worldwide revenue, again prioritizing the higher option.
The European Data Protection Board, EDPB, has released a guideline on the calculation of administrative fines under the GDPR that is currently under public feedback.
GDPR fines have been a hot topic ever since the adoption in 2018. But they received massive public attention last year, when the Luxembourg National Commission for Data Protection, CNDP, issued a record fee of €746 million ($888 million) to Amazon.
Data protection supervisory authorities across Europe have issued a total of nearly EUR1.1 billion in fines since 28 January 2021, according to the report published by the international law firm DLA Piper. The report also includes an analysis of the personal data breach notifications, which have seen an increase of 8% from the previous year (356 breach notifications per day compared to 331 in 2020), leading to over 130,000 personal data breaches notifications in the specified timeframe.
In actual figures, the total number of GDPR fines to date has reached 1032, totaling an amount of more than €1.6 billion.
How do organizations invest in data protection?
The main takeaway about investing in data protection is that compliance is only part of the equation. As it has gradually become a part of everyday life in Europe, the GDPR has increased the general awareness about the need to protect sensitive, private information. Consequently, organizations that are looking to build a trust-based relationship with their customers are most often the ones that are investing in and maintaining a solid data protection program. This acts as a reassurance for customers, who are at ease about their private information, but it is also the safest way to avoid financial damage due to fines and a tarnished reputation.
There’s no straight answer to what is the safe amount that should be allocated for GDPR compliance. There are many variables to consider, including company size, industry data and processing activities, data transfers or security risks.
On average, U.S. businesses spend $10.000 per employee, according to the Ten Thousand Commandments.
New privacy shield after Schrem II
Another widely debated subject has been the effect of GDPR on data transfers and the implications, especially after Schrems II in July 2020. The EU-US Data Protection Shield, used by many companies as a data highway between the EU and the US, was invalidated.
In November 2020 the EDPB released a set of guidelines that cover technical measures organizations can implement to ensure a compliant data transfer. During the past months, negotiations between the EU and the US have intensified, and although it is considered a sensitive issue, on March 25th, the US president and the European Commission President have announced an “agreement in principle” without providing further details.
Predictably, this will remain at the top of everyone’s agenda as clarifications are expected.
Other data protection laws that have been adopted
According to Gartner, by 2023, 65% of the world’s population will have its personal data covered by modern privacy regulations.
And the latest privacy acts adopted support this statement:
- US states Virginia and Colorado followed in the footsteps of California and passed data protection laws set to come into effect in 2023. At least twelve other states are working on setting their consumer privacy legislation.
- China has passed the Personal Information Protection Law (PIPL) which came into effect on 1st of November 2021.
- Saudi Arabia and UAE have adopted their first standalone personal data protection law.
- Thailand’s Personal Data Protection Act is coming into effect soon, on the 1st of June.
- In the European Union some new data protection laws are planned in 2022 such as NIS 2 Directive, ePrivacy Regulation or the Data Governance Act.
What the future has in store
The publication of the new guidelines by the EDPB and national authorities has created a mixed landscape. On the one side there are companies still struggling with compliance, having difficulties in getting things right. On the other hand, it is impossible to deny the effects on improved security practices.
From what we’ve seen so far, the issue of GDPR compliance is massively simplified when companies develop a data protection and security first mindset. It is clearly an ongoing process and in the ever changing landscape, organizations must continuously adjust their processing activities, procedures, and security. With so much at stake, we can assume that sometime soon things will stabilize and compliance to data protection guidelines will have become business as usual globally. If you want to assess your level of GDPR compliance or have any data security related issues or questions, send our Security team a message and put your mind at ease about this sensitive issue.