Happy Birthday GDPR! Its Year in Review and the Future for Data Protection
The European Union’s General Data Protection Regulation (GDPR) turned a year old on May 25, 2019 already becoming a benchmark for privacy and data protection compliance. Undoubtedly, one of the great successes of the GDPR to date has been reminding consumers of their rights surrounding data privacy, and forcing organizations to improve their own data privacy practices. The GDPR gives EU residents the right to request a portable copy of their data, the right to get their data erased, and the right to revoke their consent. In addition, most organizations are now required to have a legitimate interest to collect and use data, and can no longer retain consumer data indefinitely.
The GDPR applies to any organization operating within the EU, as well as any organizations outside of the EU that offer goods or services to customers or businesses in the EU. The GDPR sent many U.S. companies scrambling to become ready to comply – taking up to seven months to prepare to meet the compliance deadline. But even for businesses that have avoided the GDPR’s extended reach, awareness of data privacy issues is a must, especially considering that cybersecurity is predicted to be the world’s fastest-growing industry by 2026. This is due to more and more countries around the world implement their own privacy laws following elements of the GDPR, including the ethics of data collection and consumer consent. With the GDPR as a catalyst, California’s Consumer Privacy Act and Brazil’s data protection law, Lei Geral de Proteção de Dados (LGPD), are just the tip of the iceberg. The United States is also under pressure to create its own federal data privacy law – the interoperability between a U.S. law and the GDPR would reduce the cost and complexity of compliance for U.S. companies.
European authorities have received nearly 65,000 data breach notifications in the past year, and over 200,000 complaints about organizations’ data protection practices. Regulators in 11 European countries have imposed $63 million in the GDPR fines, with the largest fine issued to Google in January 2019 when the French data protection authority slapped it with a €50m fine for breaking the GDPR rules around transparency and a lack of legal basis when processing people’s data for advertising purposes.
This doesn’t necessarily mean data breaches are occurring more or less frequently – but the GDPR’s mandatory breach notification laws have brought more breaches into the light. Some have expressed concerns that regulators aren’t doing enough, and that the lack of enforcement means some companies will put GDPR on the backburner. However, data watchdogs across the EU are still investigating thousands of data breach notifications, and the investigations usually require a long period of time to conclude. Still, many organizations have a long way to go to comply with the GDPR, and amid many high-profile data breaches in the recent months, it remains to be seen whether, in a post-GDPR world, consumers will feel their data is truly safer.