2 minute read
GDPR Turns One
The b Issue
GDPR Turns One
Edward Percarpio, Privacy Architect Leader, Sovy
At the end of May the GDPR will crawl out of infancy to take its first shaky steps of toddlerdom. One year on, what does the GDPR have to say for itself?
The Buzz For a dry piece of data protection law, the GDPR has generated an immense amount of chatter. In 2018, GDPR had 300,000 media mentions worldwide (compared to 100,000 for Mark Zuckerberg, for example), and Google ranked its birth trendier than both Beyoncé and Kim Kardashian.
Individual action is a critical part of the GDPR’s enforcement model, so one would hope that this awareness would translate to better compliance efforts. Luckily, that seems to be the case. Individual complaints to Data Protection Authorities about GDPR violations neared 100,000 in January, leading to over 200 formal investigations. While it’s hard to say whether 100,000 is a high number or a low one, it’s certainly higher than it was before the GDPR. That’s good enough for me to tentatively say that the GDPR has made people more aware of and empowered to exercise their data privacy rights.
The Babble On the other hand, the GDPR buzz hasn’t always led to individual enlightenment. False rumors and paranoia have led many astray. In Ireland, some schools have banned parents from taking pictures of their children at school events “because of GDPR”. (Note: it’s most likely ok to take pictures of your child at school events, provided you’re not using other children’s pictures for commercial purposes.). Many companies are over-reliant on consent as their lawful basis for processing when they probably shouldn’t, which increases the burden on both the company and the consumer.
The Teeth From a business point of view, the GDPR has made a notable impact on data breach notification practices. During the first 8 months, over 59,000 data breach notifications were reported by organisations across the European Economic Area. The Netherlands, Germany, and UK led the EEA with about half of the total breach
CONTENTS
notifications. (when adjusted per capita, Ireland ranks second and Greece, Italy, and Romania are at the bottom.) This jump in data breach notification marks significant progress for corporate compliance and transparency with the public and the government.
The GDPR has also made a significant impact on the regulatory environment across the world. 23 of the 29 EU countries have implemented the GDPR into their national laws, and countries such as the U.S. (California Consumer Privacy Act), Canada (PIPEDA), and Brazil (LGPD) have used the GDPR as a model for updating their data protection laws.
The Gums While individual complaints and data breach reporting have increased, Data Protection Authorities (DPAs) have gotten off to a slow start in terms of fines and penalties. To date, DPAs have issued €56 million in fines for over 200,000 cases, which feels substantial until you realise that almost all of it comes from a single instance. (French DPA CNIL fined Google €50 million in January.)
Finally, despite the generally positive outlook, the fact remains that over 50% of regulated organisations are still not GDPR compliant. In fairness, the GDPR imposes many changes to businesses’ operational and technical infrastructure. But at the same time, citizens and DPAs are mobilising enforcement process at an unprecedented pace, so organisations would do well to kick their compliance programmes in gear.
How can Sovy help Sovy have designed compliance software specifically for SMEs. Through their Compliance Hub with GDPR Privacy Essentials℠ they offer tailored policies, eLearning, personal data inventory tools, website cookie scan and consent manager and more. For more details visit the Sovy Affinity page.
9
THE BUSINESS OF IRISH SMEs
