GDPR’s biggest impact may ultimately be its effect on overarching laws to protect customer data.
The story of the now-1-year-old GDPR is interesting in and of itself, but it is perhaps most compelling in terms of what it portends for the future of data privacy–and of companies’ and the U.S. government’s willingness and ability to protect customer data.
The General Data Protection Regulation–or GDPR, as it’s more commonly known–is a regulation in European Union (EU) law for governing management and egress of personal data for citizens of the European Economic Area (EEA). This area encompasses all EU countries that are signatories of the regulation, as well as citizens of Iceland, Liechtenstein and Norway. Under the regulation, entities that collect and process personal data for citizens of the signatory countries must conform to certain stewardship practices and comply with what is really a “bill of rights” for personal control of data. The GDPR was passed in 2016 and went into effect last May 25.
The European Data Protection Board, advisory board for the GDPR, has released information about some of the effects of GDPR through the end of 2018.
There were about 95,000 complaints filed under the GDPR during that time period. Of those, 60,000 were lodged between May 25 and November 2018. In December of that year, there was a nearly 60% increase from the accumulated total of the first eight months the regulation was in effect, adding another 35,000 complaints in that month alone. Likely reasons for the spike include data breaches involving Facebook, Quora, Google+ and Signet Jewelers (parent company to Jared and Kay Jewelers.)
Nine months after GDPR went into effect there were more than 41,000 reported data breaches. Under the regulation, data compliance officers have 72 hours to report breaches.
Out of those 95,000 complaints lodged in 2018 came 255 investigations. From those investigations, the European Data Protection Board highlighted three cases resulting in fines: a sports betting cafe was fined €5,280 (approximately $6,000) for unlawful video surveillance, and an unidentified “social network operator” incurred a €20,000 fine (approx $26,000) for failing to secure user data. The bulk of the assessed fines, however, were levied against Google, whose lack of consent for targeted ads resulted in a staggering €50 million fine, roughly $56 million. Under the GDPR, fines can be assessed up to 4% of global revenue as stated in the previous fiscal year, or €20 million per occurrence (whichever is greater.) While complaints can be filed for a host of reasons under the regulation, the most common in 2018 were for telemarketing, promotional emails and CCTV surveillance.