One year old, GDPR marks a number of successes and inspirations
The European Union made GDPR — the General Data Protection Regulation — the law of the land on May 25, 2018. That makes it now a year old.
Some are calling this a "transition year" for GDPR, but that doesn't mean there's any less interest in its successes and failures so far. Let's take a look and see if we can't find out where the EU, and other countries looking on with interest, go from here.
There are two major goals of the GDPR:
- To require companies and organizations to report data breaches.
- To fine and otherwise hold accountable all organizations that practice poor data stewardship.
According to one survey, there were 60,000 reports of data breaches across Europe during the first eight months of GDPR. Stephen Eckersley, representing the UK's Information Commissioner's Office, indicated he'd seen a "massive increase" in the numbers of breaches being reported. Before GDPR, only about 18,000 to 20,000 breaches being reported each year.
By these numbers, the GDPR has been a major success: many more companies now have the incentives they need to engage in information-sharing about data breaches.
There's a huge amount of value in doubling or tripling the self-reporting rate for data breaches. Consumers have a right to know as soon as possible if some of their personal information may have been compromised. Plus, regulators and engineers alike need as much information as they can get their hands on, as fast as possible, when it comes to understanding the underlying causes and designing appropriate legislation and countermeasures.
Europe is definitely a model worth emulating in the U.S. and in any other territory which has yet to draw up similar federal-level requirements. The GDPR was an update to the existing 1995 Data Protection Directive, which gave member nations the freedom to implement their own breach-notification laws. The whole of the EU is already seeing the benefits of a more united approach to information-sharing. It requires, among other things, that companies and other entities report known data breaches to the appropriate authorities within 72 hours.
Citizens within the EU also benefit from a much wider definition of "personal data." The DPD covered the basics (name, address, etc.) in 1995, but GDPR provides a much more comprehensive and modern list — including IP address, any biometric data captured, device identifiers and more. As a result, we've learned a lot more about our "threat surfaces" and the types of breaches that are happening.
How Else Has GDPR Been Effective?
The first goal of GDPR is enforcing self-reporting for companies that handle data. The second goal is levying fines to companies in response to breaches of customer or client data.
After the first year, GDPR is more or less matching expectations for the second goal. Its scope was ambitious: regulators in the EU can hit companies with fines as great as four percent of their global GDP.
So how's it faring?
According to the European Data Protection Board, the first nine months of the GDPR saw fines levied in the amount of almost 56 million Euros. One downside to this number is that a single fine makes up the bulk of it: a "record-breaking" fine brought against Google in January 2019 due to privacy concerns. The fine was nearly 50 million Euros, which makes it the vast majority of total fines collected so far under the terms of the new GDPR. For the most part, authorities have been slow in holding companies accountable through fines.
Nevertheless, smaller companies have been hit, too — including another substantial sum of 220,000 Euros from a Polish company for failure to inform their customers that their personal data would be gathered and processed.
Some argue the few fines levied so far to larger companies like Google haven't been sufficiently punitive, given the multiple billions in earnings they make each year from the buying and selling of data.
But these issues sound like typical growing pains. Both mechanisms described in the GDPR — both the identification of problem areas and the means to exact restitution from guilty parties — seem to be working more or less as intended.
Moreover, part of enacting GDPR in the first place was to turn cybersecurity and ethical data handling into mainstream political, civic, and social issues. In being one of the first companies to be hit with significant fines from this legislation, Google is helping raise the bar for companies of all sizes, to the benefit of consumers everywhere.
One factor that's not exactly helping compliance is the record-high demand for cybersecurity experts across the industrial spectrum. Private companies and regulatory bodies alike are scrambling to "staff up" as they consider changes they must make under GDPR and how to meet and enforce the new data handling requirements. Google has been made an example of in this "transition year," but enforcement for breaches at smaller companies is almost certainly forthcoming in greater numbers. Small businesses are, after all, an extremely substantial portion of the European economy.
Maybe it had to start with Google, but it certainly won't end there if companies aren't preparing appropriately.
GDPR Is the Beginning of a Conversation
As mentioned, part of GDPR's mandate is to be a consciousness-raiser about "digital civil rights." GDPR has unified European nations on this matter — and countries throughout the world are following suit by drafting data laws of their own, including China, India, South Korea and many others in Asia, Africa and South America. Brazil's General Data Protection law goes into effect in 2020.
In the U.S., individual states are taking up the banner too. The state of California offered its own Consumer Privacy Act to the mix, which becomes law in 2020. It's not identical to GDPR, but the family resemblance is obvious.
Since GDPR's passing, many American companies gathering data on overseas markets and customers have had to take stock of how they collect, store, and utilize the data they're pursuing. The fact that so many companies outside Europe are making proactive changes, in expectation of similar legislation taking off in their own territories, is a sign that good ideas don't really abide by borders.
There have been instances of companies that exited the EU or simply closed down because they couldn't afford the toll that GDPR compliance would have exacted on their budget. This, too, is proof that the bar is getting higher where consumer data rights are concerned.