Happy Birthday GDPR! On May 25th, internationally we will be “celebrating” the first anniversary of the EU’s General Data Protection Regulation (GDPR). Nearly one year later, have the stricter rules really made a difference? Consumers are definitely seeing more pop-up privacy notices online, thanks to GDPR, but for now the astronomical fines the new regulations threatened have not yet surfaced.
GDPR may seem like a burden, but as companies rebuild trust with consumers, it will become a sustainable approach developing both innovation and accountability. The goal of the regulation? To help EU citizens control their personal data and how it’s collected, shared and used. But the sweeping nature of the GDPR means that it’s not just EU-based websites and technologies that fall under its remit, but any that might potentially be accessed by an EU citizen.
The GDPR’s roll-out represented a pivotal change for businesses and companies, who previously had free rein over the data that they collect. Prior to this regulation, they did not have to disclose what data was stored, what purpose it served, nor why they wanted it.
However, all business development professionals know that data is critical for doing business – driving insights into targeted marketing campaigns, optimizing sales etc.
Under the GDPR, significant updates have been made impacting marketing-oriented tools such as website cookies and newsletter sign-ups/opt-outs, which collect customer data for marketing purposes. Under the GDPR, clear and simple explanation is required for what opting-in means and for asking a user’s permission. Gone are the days where filling in a form meant “here is my information, please use it wherever you want and sell it to the highest bidder”.
But staying compliant involves more than a customer’s consent to share their data. Companies have had to rework their systems to ensure that it’s clear where data is stored, which data reflects sensitive or personally identifiable information, and who has access to it. Other mandatories include explaining how exactly a company will use an individual’s data and why.
The data minimization component of the GDPR says that companies must limit how long they hold onto data, as well as make public the ability to delete or amend the data collected upon each individual’s request.
Marketing automation, lead generation and PR pitching are all areas where marketers have to double-check that they comply with GDPR standards.
But with one in five businesses believing that complete GDPR compliance is impossible, and less than half admitted to being fully compliant with the regulations, this is an area where marketers need to work closely with leadership to ensure they adhere to all aspects of the GDPR – or risk substantial fines.
GDPR gives the individuals in the EU much greater control over the data, including the right to demand that companies reveal how their data is being used, and to ask corporations to destroy their data.
With confusion surrounding this rollout and how exactly does “be forgotten” happen, there was a window of time given to organizations to comply with this portion of the regulation. That grace period will likely end soon, and companies will start to see enforcement truly begin.
While some aspects of the GDPR may be open to interpretation, others aren’t – and the stakes are high. Fines of up to 4% of global revenue turnover apply to those who fail to comply with GDPR, and the first enforcement actions have been taken. At the nine month mark, the European Data Protection Board (EDPB) delivered a report illustrating its progress. It highlights the implementation and enforcement of GDPR, as well as the Supervisory Authorities level of cooperation, for more information on this report, please visit here.
Since the GDPR roll-out, nearly 60,000 data breach notifications were served, with 91 fines issued. The largest being a 50 million Euro fine leveled against Google, due to lack of transparency over the information that will be tracked when creating a Google account. According to the GDPR, there are 10 criteria used to determine the amount of the fine:
- Nature of Infringement – # of people affected, type of damage, duration of infringement, and purpose of processing.
- Intention – if the infringement is intentional or negligent
- Mitigation – action taken to mitigate damage
- Preventative Measures – the level of preparation prior to the incident
- History – past relevant infringements, whether under the GDPR, the Data Protection Directive, or past administrative corrective actions under the GDPR
- Cooperation – the level of collaboration between the firm and supervisory authority in remedying the infringement
- Data Type – what types of data were impacted
- Notification – how the infringement was reported to the supervisory authority
- Certification – whether the firm was GDPR certified prior to the breach or adhered to approved codes of conduct
- Other – other aggravating or mitigating factor; and lack of opt-in consent for its personalized ads.
In the first nine months of GDPR taking effect, the European Data Protection Board (EDPB) confirmed over 200,000 cases reported. Approximately 65,000 cases were data breaches reported by a data controller and 95,000 were complaints. Of the 200,000 cases, 52 percent have been closed, and 1 percent are currently being challenged in national courts.
What has the last year taught us?
I feel there is one key take away, that regulators have called the 2018-2019 year a “transition year,” and we should expect an increase in future volumes of breach and violation cases. If a business does experience a data breach or violation, it is imperative that they cooperate in a swift and communicative manner. So while GDPR enforcement will continue to evolve, businesses must develop swift response protocols to avoid GDPR non-compliance as it can result in significantly lower fines from DPAs.
For more information on how Digital Edge can assist your business with becoming GDPR compliant, contact us today!