It has almost been a year since the EU General Data Protection Regulation (GDPR) came into effect on May 25, 2018. It was a watershed moment in the realm of data privacy – it made data protection a top priority for organization’s worldwide, put the spotlight on customer privacy and spawned stricter laws in California, Brazil, New Zealand and other states and countries. It was a top Google keyword, dethroning even the Queen – as every organization wanted to understand how to be “GDPR compliant” – a query that still persists.
While analyzing GDPR’s key articles is an essential part of laying the groundwork for compliance, as with most laws, the implications of GDPR are better unraveled when examining the ways it has been enforced. With a year’s worth of cases, the time is ripe for a retrospective – What have been the major penalties and overall repercussions of GDPR and what can we learn from them?
GDPR has Catalyzed an Increase in Cybersecurity Awareness and a Reduction in Breaches
According to the 2019 Cyber Security Breaches Survey by the UK’s Department for Digital, Culture, Media and Sport (DCMS), the number of breaches has reduced to 32%, down from 43% the previous year. The government attributes these results to an increase in Cybersecurity Awareness driven by the GDPR – “The reduction is partly due to the introduction of tough new data laws under the GDPR. 30% of businesses and 36% of charities have made changes to their cyber security policies and processes as a result of GDPR coming into force in May 2018.”
However, it may still be too soon to determine if this is just a short-lived trend, or if the GDPR has led to a holistic org-wide shift to being more cyber-secure. What is certain though, is that GDPR has kickstarted the trend of making cybersecurity a priority for organizations worldwide.
The Authorities have a Keen Eye – Fines Span Offenses, Amounts, and Regions
As per a European Commission report a few months ago, there have been ~60,000 reported breaches since GDPR came into effect. Across all member countries, 91 fines were issued. While the 50 million euro fine against Google hogged the headlines, the majority of fines were of mid-range amounts from a €5000 fine for unlawful video surveillance by a sports betting café to a €20,000 fine against a social network operator for failing to secure users’ data. The location of the issuing authorities also span various countries – German authorities issued the bulk of 60 fines, other countries including France, Austria, Poland, Netherlands, Finland and even “tiny” Malta have issued fines. The Data Protection Authorities (DPA) have also initiated 225 investigations in cross border cases.
Authorities across the EU are keenly inspecting reported complaints and proactively investigating breaches, irrespective of organization-size and location.
GDPR is Staying True to its Ideals
It goes without saying that the GDPR fines and penalties are the driving factor behind organizations taking measures to comply with it. However the DPAs, are staying true to GDPR’s aims of improving customer privacy and data protection, with the fines being used as a deterrent/catalyst, and not as a draconian punishment that organizations have to cosmetically adhere to.
Case in point – Knuddels, a German chat service, was fined €20,000 for a data breach where 300,000 login credentials and 1.8 million usernames and passwords were compromised, as they were left unencrypted. The fine was far lower than the stipulated GDPR fine of “€10 million or 2 percent of an organization’s total worldwide annual turnover”. The German Data Protection Authorities (LfDI) attributed its leniency to the “exemplary cooperation” of Knuddels in reporting the breach, communicating the lapse with its customers and implementing the security guidelines and recommendations of the LfDI. As the DPA plainly put it, it “is not interested in entering into a competition for the highest possible fines. In the end, it’s about improving privacy and data security for the users.”
It was the Year of GDPR, But we have a Long Way to be CyberSecure
Since its launch a year ago, GDPR has truly made its presence felt. It was searched more oſten on Google than American superstars Beyoncé and Kim Kardashian. With 300,000 “mentions” in the media worldwide, it even over-shadowed Mark Zuckerberg. All the GDPR hype has made organizations scramble to stay cyber-secure in order to be compliant.
However, we still have a long way to go to make organizations holistically and systemically cyber-secure. As the UK’s Digital Minister, Margot James, said, “With less than three in ten of those companies having trained staff to deal with cyber threats, there’s still a long way to go to make sure that organisations are better protected.”
But GDPR has certainly set the ball rolling. With breaches getting smarter and more pervasive, let’s capitalize on this much-needed momentum to secure our organization’s data, processes and technology and introduce a culture of security.
Data Protection: A Step towards GDPR Compliance
GDPR mandates that organizations have “the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident”. Having a reliable backup and recovery solution is your safety net in the event of a data breach – not only will it aid quick recovery, and improve business continuity, but it will also help with “demonstrating compliance”, a proven soft-spot with GDPR authorities.