Nearly a year and a half into this new era, we reflect on how GDPR has already impacted organizations and consider what awaits us down the road
In May 2018, the world of data protection and privacy changed forever with the introduction of the General Data Protection Regulation (GDPR), with effects that have extended far beyond the European Union.
For the vast majority of organizations, achieving GDPR compliance has meant drastically changing their data privacy and management systems and policies. Any organization who operates in the EU and does not comply with GDPR is subject to stiff penalties, including a fine of up to 20 million pounds or 4% of worldwide revenue from the prior financial year, whichever is greater.
Now, nearly a year and a half into this new era, we reflect on how GDPR has already impacted organizations and consider what awaits us down the road.
2018 & 2019 GDPR Enforcement Actions
Organizations were given two years of warning before GDPR was introduced, but many still found themselves inadequately prepared. In the US, some sites simply blocked or restricted access to the EU because of GDPR. Even one year in, over half of US news sites were still either blocking or restricting access for people in the EU.
For noncompliant organizations, enforcement actions have been extensive. According to the European Data Protection Board (EDPB), hundreds of thousands of GDPR cases have been reported by supervisory authorities and, in just the first year, GDPR fines reached nearly €56 million. To date, they total over €359 million. Among the biggest penalties are:
- British Airways £183 million fine for a data breach
- Marriott International £99 million fine for a data breach
- Google €50M fine for lack of transparency and consent in advertising personalization
- Haga Hospital €460K fine for inadequate security measures
- Real estate company Sergic €400,000 fine for inadequate security measures
Beyond these and other widely publicized cases, many smaller organizations have faced smaller fines that still have significantly impacted their operations.
The Ongoing Process of Achieving and Maintaining Compliance
Today, numerous businesses, large and small, are still undergoing the time-consuming endeavor of achieving GDPR compliance. From untrained employees to limited board-level awareness and prioritization of data management and security, challenges abound.
Even for companies who were well-prepared for the launch of GDPR, maintaining compliance has necessitated an ongoing investment. For tracking things like data types, data owners, and the reasons for data collection, manually conducting surveys and inventories won’t cut it. For starters, such methods are error-prone and can be infuriatingly tedious, especially for large enterprises storing data across dozens (sometimes hundreds) of systems. Worse, these manual efforts result in data maps that become outdated almost immediately after they are created. Conducting and confirming manual deletion of data is equally exhausting and worrisome.
Instead, maintaining GDPR compliance requires implementing software technology and automation solutions that allow teams to quickly understand and effectively manage data across dispersed systems, including efficiently and accurately processing privacy requests.
A Future of Increased Regulation and Enforcement
Thousands of GDPR actions remain pending, and the EU is committed to proactively and aggressively identifying and penalizing instances of non-compliance. As such, the chances are high that the EU will crack down harder on noncompliance in the coming years.
As for those US companies who so far have been able to ignore GDPR, a new wave of data and privacy regulations is looming, starting with the California Consumer Privacy Act (CCPA) coming in 2020. Following in its wake will likely be other regulations from states such as Hawaii, Massachusetts, Maryland, New Mexico, Rhode Island, and Washington.
Achieving compliance with GDPR and future regulations will require continued and increasing involvement from departments and team members across organizations. New processes and systems will be necessary to keep up with the evolving legal landscape and to ensure data security for customers and staff. Across the board, automation will play a huge role in achieving compliance.
When companies do successfully comply with these privacy regulations, they’ll realize benefits that include fewer security breaches, more efficient data management, and stronger trust and reputation with customers. To learn how Sherpa Software can help your business comply with regulations from GDPR to CCPA, contact us today.