Happy Birthday GDPR - How are things 1 year on?

The general data protection regulation, better known under its acronym, the GDPR, is a piece of legislation which came out of Brussels last May.

The GDPR turned 1 year old on 25th May 2019 and sets out to protect individual’s online data within the EU. However, the GDPR extends far beyond Europe’s borders as even foreign companies, if they are processing the data of European citizens, fall under its scope. Hence, given its wide application, it is easy to see how the GDPR has been making waves in the tech industry specifically, where personal data is often processed on a mass scale.

Life pre-GDPR

Before its implementation, the majority of companies reported some level of concern with the incoming GDPR, and for good reason. Becoming GDPR compliant is no small task for businesses. Companies had to learn and understand the GDPR’s terminology, understand data subjects’ rights under the law and had to become more organised than ever. Hence, compliance requires constant attention and finding the right personnel to tend to these sensitive matters that have the potential to cost the company millions of euros. 

Facts and Figures over the last 12 months

Nevertheless, over the course of the legislation’s first year, national supervising authorities within the European Economic Area have received over 144 000 questions and complaints and have logged over 89 000 data breaches.

Everything taken into account, just over 280 000 cases have been opened in relation to the GDPR in the past year, and 37% of them aren’t even settled yet.

Although the sheer number of queries and complaints seems worrisome, there is a silver lining.

More and more, European citizens are aware of their data protection rights as over two thirds of the population has heard of the GDPR and over half of that statistic have a deeper understanding of their rights under the new law. Furthermore, most Europeans know of the public authorities that have been created and mandated to protect their online data.

These statistics demonstrate that although we are in the presence of not only a new law, but a developing field of law as well, the population is well informed. 

However, despite the large numbers mentioned above, in its first year, the GDPR and the relevant authorities have been somewhat kind to those that fall under its reach.

It has been reported that of all the complaints and data breaches, only 91 corporations have been issued fines accumulating to a grand total of €56M. Yet, when taken into account that €50M of that total was issued to a single company, everyone’s favourite search engine, it really puts everything into perspective. 

Have the authorities taken a soft touch?

In light of this, some have criticised that the authorities have been soft when issuing fines under the GDPR.

Maybe it is better say the they have been fair and reasonable.

The authorities could have easily used the full force of the law and issued fines of up to €20M or 4% of the company’s global revenue.

However, their goal under the GDPR is not to financially ruin companies and send them down the path to insolvency.

The whole idea behind the implementation of the GDPR is to coax companies into setting up better practices to protect consumer data.

This becomes evident when looking at the fines that have been issued under the GDPR. Companies that advised the relevant authorities and individuals and took all the appropriate steps when faced with a data breach have received fines that reflect their efforts to remediate the situation. On the other hand, corporations that showed little regard for the GDPR in the case of a data breach have been given heftier fines even if said breach occurred on a smaller scale. 

It is believed however that these “reasonable” fines will not be here to stay. Given that the GDPR is still relatively new, the authorities are giving companies a chance to get up to par in a sort of transitional period. Heavier fines with the full force of the GDPR behind them are surely on their way sooner than we might hope. 

What about the next 12 months?

Looking towards the future now, it can be said with confidence that the GDPR had a global impact over the course of this past year. As Europe amped up their data protection laws, several other countries followed suit. Canada, notably, updated their own data protection law to follow several ideas found in its EU counterpart.

Tech giant Microsoft’s CEO praised the GDPR and expressed his hope for not only a future GDPR-inspired law for the United-States, but a unified global standard used by all. Apple’s Tim Cook taking a leaf out of the GDPR suggested the implementation of a “Data Brokers Registry” in the USA which would allow data subjects to have access their data that is being sold online and, if they wish, to delete it. 

We think it is safe to say that the GDPR had a successful first year. Companies are taking measures to protect data-subjects, the later are educated on the matter and are aware of their rights, and even the rest of the world is looking towards the EU for inspiration for their own data protection regulations. 

For any specific advice on the GDPR or your privacy practices, please don’t hesitate to get in touch!

Author: Justin Boileau, Legal Consultant @ Gerrish Legal, June 2019.