GDPR Lessons Learned

Uncertainty and contradictions defined the first year of General Data Protection Regulation (GDPR) enforcement. 

Companies tiptoed into compliance under threat of colossal fines that would shut down their operations (€20 million or 4% of their annual global turnover, whichever is higher). However, despite the one-year anniversary of the GDPR being marked by 144,000+ complaints from users and 89,000+ reported data breaches, the fines levied in that period were relatively modest.

Analysts believe that the first year of GDPR was a teething period. As businesses continue to struggle with the law’s compliance requirements, it’s time to ask what we can learn from this transition, and where do we go from here?
GDPR Penalties Are Escalating

Other than Google being hit with a £44 million fine for lack of transparency, few companies felt the full force of the GDPR during the law’s first year. That is, until British Airways and Marriott set new records for data privacy penalties in July 2019.

British Airways was fined £183 million by the UK’s Information Commissioner's Office (ICO) after 500,000 customers’ personal data was compromised in a cyberattack. Only one day later, the ICO hit Marriott with a £99 million fine because 339 million guest records had been breached through an unsecured reservation database. 

Other fines across the EU corroborate that the GDPR’s one-year anniversary marks the end of regulator leniency. Spanish soccer league La Liga were penalised £222,000 for spying on fans, because they did not adequately explain in their terms of service that their official app activated the microphone on a user’s device during game time. 

Elsewhere, an online Polish retailer was fined £557,000 for “insufficient organizational and technical safeguards” that caused a data breach, and a Swedish school board received a fine of £16,000 when its facial recognition trial for student attendance didn’t stand up to GDPR scrutiny.

Although these fines aren’t as headline-grabbing as those against British Airways and Marriott, they do indicate that regulators believe all types of organisations have had sufficient time to understand the principles of the GDPR, and should be fined accordingly if they don’t comply. 

The key takeaway for businesses is that they can no longer be complacent about compliance — GDPR fines continue to escalate, and regulators do not discriminate.

Only the Beginning of International Privacy Laws 
The impact of the GDPR has been felt beyond its penalties, with its framework inspiring new privacy laws worldwide. A total of 107 countries have now introduced legislation to protect data privacy. For example, the California Consumer Privacy Act (CCPA) is on the horizon in the US, and is based on a model with similar principles to the GDPR.

As more laws get introduced, companies will be forced to rethink how they do business with the world. After the GDPR went into effect, over 1,000 US publications chose to shut off their content to users in the EU, either because they struggled with compliance, or didn’t think it was worth the cost.

The introduction of the GDPR has set in motion the creation of new global data boundaries, which companies must navigate with caution if they want to avoid financial consequences. In this way, any company that makes GDPR compliance a priority now is also giving itself a headstart with other international privacy laws as they come into force.

Conclusion
Regulators currently have a backlog of data breaches to process, which will likely lead to another wave of record-breaking GDPR penalties in the coming months. Moreover, while regulators have been catching up on this backlog, users have been gradually learning what new rights they have to their data.

According to a report by the ICO, 64% of data protection officers said they have seen an increase in customers and service users exercising their information rights since the GDPR came into effect on 25 May, 2018. Not only are regulators wielding their GDPR authority with more confidence, but users are becoming more aware of their data’s value - and further informed regarding the care companies must take when they process it.

From all angles, understanding compliance requirements and having a firm GDPR overview has never been more important.

___________

Simon Fogg is a legal analyst and data privacy expert for Termly. His focus for the past two years has been tracking the GDPR and its international impacts.

You Might Also Read: 

The GDPR Wake-Up Call Is Being Ignored By Business:

 

 

« Cyber Intelligence & Business Strategy
Cyber Training For Every US Federal Employee »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Cyber Security Associates (CSA)

Cyber Security Associates (CSA)

Cyber Security Associates provides cyber consultancy and cyber managed services which help to detect, protect and educate against the ever-changing cyber threat.

National Cyber Security Centre Finland (NCSC-FI)

National Cyber Security Centre Finland (NCSC-FI)

The NCSC-FI develops and monitors the operational reliability and security of communications networks and services in Finland.

Communications Security Establishment (CSE)

Communications Security Establishment (CSE)

CSE is Canada's national cryptologic agency, providing the Government of Canada with IT Security and foreign signals intelligence (SIGINT) services.

Securely

Securely

Securely Ltd. is an IT consulting and services firm specializing in PKI solutions and products.

Semperis

Semperis

Semperis is an enterprise identity protection company that enables organizations to quickly recover from accidental or malicious changes and disasters that compromise Active Directory.

CSIRT-NQN

CSIRT-NQN

CSIRT-NQN is the Computer Incident Response Team for the Argentine province of Neuquen.

Metrarc

Metrarc

Metrarc has developed a ground-breaking technology called ICMetrics™ for deriving secure encryption keys from the properties of digital systems without the need to store any of the encryption keys.

Blockchain Firm

Blockchain Firm

Blockchain Firm is a leading Blockchain based software solutions and service provider with our roots of expertise running deep into the technology.

Technology Law Alliance (TLA)

Technology Law Alliance (TLA)

Technology Law Alliance is a specialist IT law firm focussed on the fields of technology, outsourcing and e-commerce.

Transmit Security

Transmit Security

The Transmit Security Platform provides a solution for managing identity across applications while maintaining security and usability.

Hyperion Gray

Hyperion Gray

Hyperion Gray are a small research and development team focused on innovative work in a variety of areas including Software & Security Research, Penetration Testing, Incident Response, and Red Teaming

Horizon3.ai

Horizon3.ai

Horizon3.ai is a leader in security assessment and validation enabling continuous security overwatch from an attacker’s perspective through our NodeZero SaaS solution.

Auriga Consulting

Auriga Consulting

Auriga is a center of excellence in Cyber Security, Assurance and Monitoring Services, with a renowned track record of succeeding where others have failed.

CyberQP

CyberQP

CyberQP (formerly Quickpass Cybersecurity) provide Privileged Access Management built for MSPs. Our system is designed to reduce ransomware and social engineering attack risks.

Archon Secure

Archon Secure

Archon GoSilent Cube delivers a CSfC-certified, plug-and-play security solution for classified and unclassified communication when using the public Internet.

Infoline Tec Group Berhad

Infoline Tec Group Berhad

Infoline Tec Group Berhad is principally involved in providing IT infrastructure solutions, cybersecurity service provider and solutions, managed IT and other IT services.