The GDPR regulations entered into law on 25th May 2018
Data subject rights are one of the key areas of change under the General Data Protection Regulation (GDPR). Data subjects can evoke a greater set of rights against businesses and organisations that process their personal data.but what’s been the overall impact?
Unsurprisingly, there’s been no shortage of complaints around GDPR. According to surveys taken approximately 8 months post GDPR , there have been 59,000 complaints of data breaches in violation of the GDPR since the law went into effect in May 2018. However the same report found only 91 fines have been handed out.
Whilst the strategy from the Data Protection Authorities (DPA’s) which are setup in each EU member state has been one of encouragement in encouraging organisations to reach compliance, this is now evolving into a clear mandate to reach compliance and actually provide proof that the policies and measures to reach compliance are can be clearly evidenced in an organisations day to day operations.
The largest fines so far have been handed out to social media giants, like Google and Facebook.
In January, Google was fined $56.8 million (€50 million) by the French data regulator CNIL for failing to adequately inform consumers about collecting data used in online ads, citing a “lack of transparency, inadequate information and lack of valid consent to personalise advertising.
Facebook is also bracing for possible GDPR fines as a result of a 2018 data breach, among other potential problems. The social media giant has stockpiled a reported $3 billion to pay the Federal Trade Commission (FTC) fines that are expected as a result of its handling of the Cambridge Analytica scandal in 2016.
The Global GDPR Journey
Compliance a multilateral affair when it comes to GDPR, and many organisations around the world are at various stages of their GDPR journey.
An example of this can be seen clearly in the United states where only approximately 27% of companies are fully compliant with GDPR, Some companies have struggled with the GDPR’ requirements around access rules, while others struggled with the mandate that companies have to apply one of the six lawful basis for processing a data subjects data. Legitimate Interest has been puzzling many an organisations marketeers.
Most companies that deal with EU citizens are only managing compliance with the most basic requirements of GDPR. However the more difficult requirements of GDPR, such as the need to build “privacy by design” and “privacy by default” into business processes and systems will likely take years without the expert guidance of GDPR experts to provide the much needed guidance.
GDPR has given birth to a number of emulator type data protection laws around the world, which is another aspect of the data regulation phenomenon.
For example, Brazil Lei Geral de Proteção de Dados (LGPD) is almost an exact copy of the GDPR. The law, which enters into force in 2020, requires anybody doing business with Brazilian citizens to abide by the law or pay fines that could exceed the equivalent of $10 million.+
Japan was seen to be proactive with its data protection laws with its 2017 Act on the Protection of Personal Information, and following the passing of the GDPR into law , it established a degree of mutuality with the EU, which has resulted in a “white list” of foreign companies that are allowed to do handle the data of Japanese citizens.
Other nations , such as India, are in the process of raising the bar on their own data protection bills. India’s Personal Data Protection Bill is modeled on GDPR and contains the provisions around consent and the right to be forgotten.
Concerning the United States, there is no consolidated law covering all applicable uses of private consumer data. However, the California Consumer Privacy Act of 2018 (CCPA) will introduce sweeping changes and give Californians broad digital rights when it comes into effect on January 1, 2020.
The recent upsurge in data protection laws passed around the globe has helped fuel the awareness of data localization, whereby organisations must comply with stringent conditions before they’re allowed to move or share data about a citizen out of that citizen’s country. Russia and China are two examples that have strict laws covering data localization, or data sovereignty as it’s often called, and it has created some conflict with US organisations.
GDPR is held up as the leading model for consumer data protection. But some Europeans are wondering if GDPR may go a bit too far in restricting the use of data and potentially debilitating Europe’s emerging AI economy.
Like any law, GDPR will need some tweaks and to adapt to the rapidly changing data landscape. Although it’s not clear yet which changes will be adopted, there are several ways that it could change.
One way it could be changed is to include specific protections for location data. The EU is currently considering a new ePrivacy Regulation, or ePR, that could augment GDPR to set rules on the handling of electronic communications, such as cookies and location data.
Relentless GDPR 24/7 has you covered!
Compliance with the EU’s new data protection regulation is complex and requires teams to work effectively together. Relentless 24/7 Portal’s intuitive interface and thoughtful workflows simplify the compliance process by organising it into clear, simple assignable tasks via a cloud-based compliance hub. Built from the ground up this feature rich portal which is accessible 24/7/365 is a must have for any organisation planning their GDPR compliance strategy. Register now for a free 14 day trial of Relentless GDPR 24/7