One year after the “fever” called GDPR passed by, many took
measures to comply with the regulation, some, however, chose to stand idly by
and wait to see what will happen. It is not rare to open a company website to
by the Data Protection Act 2003 or that US/Australian companies still resist
hiring an EU Representative.
the Numbers Say
The GDPR came into effect on May 25, 2018, last year, affecting
how organisations use, store, transmit and process the personal data of EU
residents. Organisations worldwide involved in any of those actions had to
respond accordingly by reviewing, revising and updating relative policies and
procedures in accordance with the new requirements. As you’re probably familiar
violations of GDPR carry fines up to €20 million, or 4% of the firm’s worldwide
annual revenue from the preceding financial year, whichever amount is higher.
So twelve mounts later why are some organisations still struggling to meet
their compliance obligations?
A survey by IT Governance reveals that, as of December 2018, 71%
of organisations are still not GDPR compliant.
Another survey, conducted in March 2019 by NCipher Ponemon on
encryption trends, shows that only 45% of IT companies have implemented “appropriate
measures” under the form of encryption.
What’s even more shocking is that 25 of 28 official EU
government websites may not even be GDPR compliant per a March 2019 Cookiebot
56% of UK businesses admitted that they had failed to request
consent to store sensitive data and 16% said they had knowingly ignored subject
access requests – from a survey by CybSafe.
If we have to summarise this first year of GDPR, we could conclude
that this first year was relatively quiet regarding activity to enforce the
regulation. None of the imposed fines hit the promised maximum of €20 million.
As a whole, this year has been one of learning and continuing to ramp up to
full enforcement as precedents from regulators are set. At the same time, it
will be totally wrong to conclude that the regulators are not going to enforce
the GDPR in its full force. What we’re seeing now is an effort to enforce the
right approach and advice rather than just slapping organisations with
for the Non-Compliant
Fines are the ultimate result of non-compliance and
organisations around the globe need to be aware of the travails of the
unfortunate few who have felt the fallout from the GDPR hammer coming down.
The first major fine was issued in Portugal for the amount of
€400,000. The recipient was a Portuguese for non-compliance with the EU GDPR by
not separating access rights to patients’ clinical data.
At least 91 fines were served up during the first eight months
of the regulation. In the end, the total penalties imposed under the statute
added up to €55,955,871 which might sound impressive if you don’t take into
account that Google’s €50 million fine by the French DPA for using personal
data inappropriately is responsible for 90% of that amount.
More importantly, the Google case highlighted that product
design and consent are key components of GDPR compliance – not just how you
respond to a data breach or manage cookies. Additionally, while Ireland might
be the EU business headquarters for many tech giants, EU regulators view the
location where privacy decisions are made as paramount when determining
jurisdiction. As a result, regulators can still take action against
non-compliant organisations even if their headquarters are not situated in that
GDPR Applies To Your Organisation
One big misconception surrounding the GDPR is that if your
organisation isn’t in the EU the law doesn’t apply to you. This might as well
be the case, but be mindful that if your organisation might interact with an EU
resident and collect data during that interaction, then GDPR is something you
need to be aware of.
Investment in compliance efforts can be costly and
time-consuming for organisations. But it’s important to keep in mind that since
privacy and security are closely related, the primary business advantage for
comprehensive GDPR implementation is consumer trust. Risking non-compliance
might lead to reputational and brand damage which occur with any data breach.
You expose your organisation and it’s compliance flaws to public scrutiny and
your efforts to secure a user’s personal data will always be questioned.