In the year since the EU-wide law was introduced, has GDPR done enough to protect personal data?
Tomorrow marks one year since the introduction of the General Data Protection Regulation (GDPR), the EU-wide legislation governing how organizations collect and protect consumers’ personal data.
GDPR was established to replace country-specific laws with an overarching regulatory body, enforced by each nation’s privacy watchdog.
It was welcomed by privacy advocates for its expanded regulation on what constitutes personal data, as well as the huge fines imposed for those who defy it – €10 million or 4% of annual turnover, whichever is greater.
But have the new rules gone far enough to keep up with a modern digital society?
Needless to say, the strict regulation hasn’t stopped businesses from mishandling data entirely.
Violations in the past 12 months include Polish marketing agency Bisnode, which was fined €220,000, a Portuguese hospital, which paid out €400,000, and Google’s €5 million fine by French regulators.
Facebook is also facing a fine of $1.63 billion by the Irish Data Protection Commission after a security incident last year that resulted in almost 50 million accounts being exposed through a flaw in the ‘View As’ feature.
A survey from law firm DLA Piper revealed that there were 59,000 personal data breach notifications in the months from May 2018 to January this year.
It took into account the period between the enforcement of GDPR – May 25, 2018 – and Data Protection Day – January 28, 2019.
Residents of the Netherlands received the most notifications in this time period – 15,400 – followed by Germany (12,600) and the UK (10,600).
More recent figures from May 2018 to February this year suggest that 65,000 breach notifications have been sent to individuals across the EU since GDPR became law.
The high volume of reports suggests that GDPR has succeeded in ensuring that the majority of data breaches don’t go unreported.
But has it lived up to the hype? Not quite, according to critics of the legislation.
“First and foremost, GDPR has put privacy in the spotlight,” Fouad Khalil, vice president of compliance at SecurityScorecard told The Daily Swig. “Privacy is the norm now and organizations should simply move with the pace.”
But, Khalil noted, the implementation of the privacy-focused regulation has not been smooth sailing.
“It has been reported that many organizations are still struggling to be GDPR compliant even today.
“One obvious reason was the hope many organizations had that they are scoped out of GDPR compliance, but to their surprise they are not,” he said.
A survey published earlier this week suggested that businesses are increasingly grappling with the realities of becoming GDPR compliant.
Of these companies – all of which have a global average revenue of at least $282 million –79% admitted that they are failing to meet requirements.
They are spending on average $1.3 million annually on data protection costs, though one in four said they don’t consider themselves knowledgeable of what the laws actually mean.
This is an issue worldwide, as even those organizations outside of Europe must be GDPR compliant when handling data provided by someone within the EU area.
A common criticism states that while GDPR serves well as a data protection notification service, it has failed to impose the heavy fines promised in order to keep big businesses in check.
Violations of the code have seen just over $55 million in fines paid out so far – an impressive figure, sure, but not so impressive when you take into account Google’s $50 million penalty alone.
Despite its drawbacks, many agree that GDPR has served as a good model for other countries.
The US, namely, is poised to pass its own GDPR-style bill after a number of high-profile breaches have seen lawmakers look to the European model for inspiration.
Incidents such as last year’s Marriott hotel breach, which saw 500 million guests’ personal details leaked, and the 2017 Equifax hack, when the data of 145.5 million customers was compromised, have forced the importance of protection into the spotlight.
Khalil told The Daily Swig: “The GDPR tidal wave impact has been felt globally. US states, such as California, and others pending, have implemented GDPR-like privacy laws.
“South American [countries], such as Brazil, have enacted GDPR-like data protection law, [the] LGPD (Lei Geral de Proteção de Dados). Asia-Pacific region laws and best practices are also brewing in the same fashion.”
Mark Trinidad, senior technical evangelist at Varonis, agrees. “The GDPR has acted as the first step to force global companies to change their thinking around data protection and the new California Consumer Privacy Act (CCPA) will be another when it comes into effect.”
Singapore has been a leading voice for privacy advocacy in the Asia-Pacific region, announcing that it will introduce a mandatory data breach notification law in the coming months.
Australia’s efforts should also not be forgotten. The country enacted its Notifiable Data Breach scheme pre-GDPR, in February 2018, which was well-received yet criticized due to the vague wording of the policy.
As for the US, all 50 states now have data breach notification laws, but so far California has led the way in drafting privacy-conscious legislation with the California Consumer Privacy Act (CCPA).
The CCPA, which will come into effect on January 1, 2020, has been hailed as one of the first US bills to employ appropriate safeguards for citizens.
Key differences from GDPR are that it only governs data in the state, and applies to businesses with an annual gross revenue above $25 million, or those that derive 50% of their income from selling customer data.
GDPR in the US?
Facebook CEO Mark Zuckerberg, Apple’s Tim Cook, and Google’s CEO Sundar Pichai are just some of the names calling for federal policy to be enacted.
Back in March, Zuckerberg wrote in a blog post: “People around the world have called for comprehensive privacy regulation in line with the European Union’s General Data Protection Regulation, and I agree.
“I believe it would be good for the internet if more countries adopted regulation such as GDPR as a common framework. New privacy regulation in the United States and around the world should build on the protections GDPR provides.”
And at last year’s Aspen Cyber Summit in San Francisco, Republican Congressman Will Hurd told the audience: “One of the things we will be looking at is GDPR. Is it working, is it not working, is it something that we may be moving to?”
Only time will tell whether GDPR will serve as inspiration for federal law in the US and worldwide.
As for GDPR, ICO information commissioner Elizabeth Denham recently told how GDPR is at “critical stage”, placing onus on the need for accountability – something which, she says, has not yet been achieved.
Denham, speaking at the Data Protection Practitioners’ Conference in April, told how GDPR brought about a major change in expecting businesses and organizations to be accountable for the way they collect and process data.
“We find ourselves at a critical stage. For me, the crucial, crucial change the law brought was around accountability. Accountability encapsulates everything the GDPR is about,” she said.
But, she added: “I don’t see it in the breaches reported to the ICO. I don’t see it in the cases we investigate, or in the audits we carry out.”