The doomsday data cults were wrong. One year on from the General Data Protection Regulation (GDPR) coming into force and the world is still turning, businesses haven’t collapsed and there haven’t been any billion dollar fines.
Rewind to the run up to the 25 May deadline last year and a very different picture was being painted. Much emphasis was put on the company-crushing fines that data regulators would have at their disposal: a maximum fine of 4% of global turnover or €20m for falling foul of the world’s toughest data laws.
But these penalties were always reserved for only the most serious of data breaches. As of 18 February 2019, European data regulators across 11 EEA countries have imposed a total of €56m in GDPR fines.
On the surface that might sound a fair whack. But the lion’s share of this comes from Google, GDPR’s biggest casualty to date. It was slapped with a €50m penalty for “a lack of transparency inadequate information and lack of valid consent regarding ads personalisation” by CNIL, France’s data regulator.
Although it hasn’t been raining fines since GDPR’s implementation, there has been an increase in the number of businesses reporting a data breach. According to law firm DLA Piper, European businesses reported 59,000 data breaches between 25 May 2018 and February 2019. This suggests that GDPR has encouraged better reporting, where prior to GDPR companies had a more lax approach.
“GDPR has been an incredibly interesting case study in that everyone thought it would bring modern business to a halt,” says Prem Ananthakrishnan, VP of products at Druva, a cloud data protection and management company.
“The EU DPA has focused on raising awareness this year versus handing down harsh fines and businesses are learning how to navigate this new world of increased regulation.”
GDPR fines are coming, warns ICO
Some data regulators seem to have been more trigger-happy than others. Germany has reportedly issued 41 GDPR fines, but they tend to be for small-scale violations.
Meanwhile, the UK’s data regulator, the Information Commissioner’s Office, is yet to issue a single fine under GDPR. But the reason for this is simple, and somewhat banal: there just hasn’t been enough time to conclude investigations that fall under the remit of GDPR.
“Under the old law it took around 500 days from a breach occurring to a fine being issued,” says Robert Wassall, head of legal services at cybersecurity firm ThinkMarble. “Applying a similar timescale suggests that fines will not be issued until October 2019.”
According to the ICO, we can expect GPDR fines even sooner than that – possibly in the next few months.
“The first fines under the General Data Protection Regulation are due to be issued soon, once the necessary legal processes have been completed,” an ICO spokesperson told Verdict.
Marriott Hotel could be one of the company’s in the ICO’s GDPR crosshairs, after hackers stole the personal details of around 500 million guests in late 2018. Based on its £22.9bn turnover in 2017, it could face a fine of up to £720m.
Another reason for the lack of fines in the UK is the ICO’s educational rather punitive approach.
“We want organisations to focus on how data protection law can help them to get it right and enhance their reputations by earning people’s trust and confidence, rather than how they might be punished if they get it wrong,” the ICO spokesperson said.
One year on from GDPR’s implementation and other myths have become apparent, such as the US not having to worry about EU data laws. Despite this, GDPR has had surprisingly large ripples across the pond.
“The biggest impact of GDPR has been not in European capitals, but in Washington, Palo Alto, Sydney and beyond,” says Kevin Bocek, VP security strategy and threat intelligence, Venafi.
“Privacy is now a popular topic with both politicians and technology CEOs, this is a credit this to the rise of GDPR.”
“This regulation was just the first phase, serving as the basis for much of the newer legislation we’re seeing in California, Brazil, India and Japan — and we can expect more countries and regions to follow suit,” adds Ben Jackson, general manager SAP Customer Data Cloud, SAP Customer Experience.
But as GDPR enjoys its first birthday and the attention it has brought on data privacy during its short existence, the doomsayers may yet be right when it comes to large fines.
“I do think that the lack of fines has unfortunately, but understandably, led many organisations to wonder if the GDPR has been ‘overhyped’ and led to it being less concerned about complying with data protection, but I also think we are currently in a lacuna that will end in about 6 months when the GDPR effectively ‘kicks in’,” says Wassall.
“The introduction of GDPR was not a deadline but the start of an ongoing process and there is a lot more work to be done,” said the ICO spokesperson.
“That said, we will not hesitate to act in the public’s best interests when organisations wilfully or negligently break the law. The enforcement action we have planned during the coming months will demonstrate that.”
Read more: GDPR one year on — what has changed?