Columns

A year into GDPR-mageddon – how have we fared?

May 23, 2019

Happy birthday to the EU’s General Data Protection Regulation (GDPR)! It seems like only yesterday we all were panicking about how to comply with the regulation’s newly enshrined “right to be forgotten” and dealing with a flood of consent notices in our inboxes. We even published a survivor’s guide to compliance with the new principles. GDPR was supposed to be the vanguard for elevated global data protection standards, but has it been successful? The answer, as to most good questions, is that it depends. Here’s a quick rundown of what, practically, has and hasn’t changed one year in.

 

Data breach notifications are way up

Data breach notification is one area in which GDPR has been an unqualified success. Prior to GDPR, there had been no comprehensive reporting standard across the EU. Since the regulation was enacted, though, breach notifications in the UK have nearly doubled over previous levels, from around 18,000 reports to closer to 40,000. Around 60,000 breaches were reported across the EU within the first 8 months of enforcement alone. This is a good thing for a few reasons: it allows for a more systematic study of breach vectors, which in theory leads to better security and more effective response. It also moves closer toward transparency for breach victims. While the casual consumer still doesn’t have a great grasp of what a data breach means to them or how to respond, it’s a step in the right direction when it comes to user-centricity.

 

Accountability has been a disappointment

On the flip side, many observers would call accountability under GDPR a resounding disappointment. The road to GDPR was paved with dire warnings about fines up to 4% of annual global turnover for egregious violations, but we haven’t seen anything close to that yet. So far, a total of around 56 million euro (around $62.75 million) worth of fines have been levied under GDPR. That sounds pretty substantial on the surface, except the vast majority of that total came in a single 50 million euro fine that French regulators slapped on Facebook in January. By some estimates, only .25% of self-reported data breaches led to any sort of monetary fine. Reports from EU regulators indicate that larger penalties are on the horizon since a year of runway has given data protection authorities a chance to build robust cases against violators. We’ll be watching to see what kinds of larger enforcement actions materialize over the coming three months.

 

Companies are still working toward compliance

In the run-up to GDPR enforcement, we read quite a bit about the herculean efforts companies were undertaking to become compliant. Large multinationals spent $7.8 billion on compliance by some estimates, and only about half (or a third, or a measly 7%, depending on who you asked) were fully prepared for the regulation as of the enforcement date. But this past year “should be considered a transition year” for GDPR according to Mathias Moulin, the French data protection authority’s rights protection and sanctions director. Many companies are still slowly working toward compliance.

“We still have too little time and it’s a year later,” said Mark Schreiber, Co-Chair for Privacy and Security at McDermott Will & Emery and co-author of a new study on GDPR implementation. “We expect 50 percent of covered companies are still in the process of GDPR compliance and it will likely go on for another couple of years.” Buckle up for the long haul, friends.

 

Global impact continues to evolve

Another major narrative surrounding the early days of GDPR was that it would raise the bar for data protection around the world (a narrative that we upheld). It will likely be several years before we can gauge the real consumer-facing impacts of the regulation’s stricter statutes, but the impact on regulatory processes and outcomes around the world is more immediately apparent. In Brazil, for example, the LGPD was heavily influenced by GDPR’s principles and structure and is slated to enter enforcement in August of 2020. Even in the U.S. market, the California Consumer Protection Act (CCPA) entering force in California builds upon the basic tenets of GDPR. Not only is California itself equivalent to the fifth-largest economy in the world, but the passage of the CCPA has also started the countdown clock on federal data protection rules.

 

Become an OWI Member and receive daily insights, behind-the-scenes deal info, access to research, exclusive events, and much more.