Happy birthday GDPR! Well, the implementation date for General Data Protection Regulation occurred on 25 May 2018 – so we’re just one month over missing the data protection law’s one-year anniversary, which was set up to protect individual citizens of the European Union (EU).
This obviously includes Britain as, despite our best efforts, we’ve not left the EU yet.
So, 13 months on – what has GDPR done for EU citizens and have companies managed to uphold data protection standards? This is what we know so far:
- Hiring a data officer is now the norm: Last year, few were able to describe exactly what GDPR stood for or had the staff that could monitor data quality standards within their offices. Now it’s not so unusual to have a data officer as standard roaming around the offices. And if that person is not permanent – it’s possible to hire one.
Back in February last year we highlighted the importance of hiring a data protection officer, adding that your data is the most valuable thing in your business. The role is defined under section 4 of the GDPR rules that they need to “advise and monitor the performance of data privacy activities and liaise with the regulator”. But these specialists don’t come cheap – back then we estimated their salaries to be anything from £70 to £80k per year. Our solution was to hire out SchemeServes DPO at a far more reasonable cost and it’s a service that we still offer.
- The promise of fines has become a reality: Companies were warned that if they were not GDPR compliant they could be fined. Fines under GDPR are up to a maximum of 20 million euros or 4% of turnover. According to Forbes.com, a recent DLA Piper report showed that 59,000 incidents were reported to regulators ranging from minor breaches (e.g. emails sent to the wrong person by mistake) to major cyber-attacks. In the UK 91 reported fines have been imposed under GDPR. The highest fine imposed was by the French Data protection watchdog on Google – a whopping £44 million!
- It’s likely to be adopted in other countries outside of the EU: According to a report by Techradar.com, the UAE is looking at implementing a data protection law that’s similar to the EU’s GDPR. So, if you have a presence there it’s probably worthwhile to ensure that your teams are ready for any such changes that come their way.
- Many websites are still not GDPR compliant: It’s been over a year since companies have been mandated to be GDPR compliant but, believe it or not, quite a few are still way off the mark. According to Forbes, data testing firm ImmuniWeb tested the 100 most visited sites in 28 member states and found that many didn’t meet the codes’ standards. More than half 51% had ‘missing or hard to find privacy policies’, in spite of the rules clearly stating that they need to be easily accessible.
- There’s more awareness surrounding GDPR: New figures show that nearly six to ten people know that there is a data protection authority in their country, which is a significant increase from just four in ten people knowing about it back in 2015.
It may be a year since GDPR has come into effect, but it’s clear that more still needs to be done to create more awareness and to get businesses in linen with the regulations. Fines are being imposed on organisations large and small – the days of using the carrot are clearly over and now all that’s left is the stick!