GDPR: A Year In Review
2018 saw the introduction of the long-awaited General Data Protection Regulation, a set of laws aimed at strengthening and unifying data protection laws across the European Union. The implementation of the GDPR led to stricter measures being required when processing the personal data of individuals based in the European Union. The months prior to May 2018 saw all-round panic, scaremongering and a Y2K effect spread across organisations of all sizes, industries and functions with many organisations concerned that it would affect their service offerings, marketing and their overall ability to function as a business.
As the GDPR came into effect, our data protection specialist saw an increased rush for companies to comply with the new requirements: data subjects were flooded with consent emails from companies wishing to keep them on their mailing list, websites outside of the EU started blocking EU based devices and many waited in anticipation for these ‘huge’ fines that apparently, we were all going to see from May 25th. D-Day came and went with no immediate huge fines or surprise visits from the Data Protection Commission and as the year went on, we slowly but surely became more accustomed to the requirements of the legislation and the benefits it is bringing to organisations and individuals alike.
So, in celebration of the one-year anniversary, we are reviewing the last 12 months, the good and the bad of GDPR so far.
Since the implementation of the regulation, we have seen several big tech companies facing complaints regarding their data privacy practices, investigations by the Irish data watchdog and the allocation of fines across the EU. Over 90 fines have been imposed for GDPR breaches so far with some household names to be seen among the affected companies.
Two technology giants, Facebook and Google, were the first targets to face official complaints regarding non-compliance under the General Data Protection Regulation. It was argued by NOYB.eu, the organisation that filed the complaints, that the two companies were forcing users into agreeing to terms and conditions of service. Google was handed a €57 million fine due to its Android onboarding process when setting up a new phone.
Facebook has also had an interesting year when it comes to data protection and the GDPR. The Cambridge Analytica scandal become public knowledge in July 2018, although the GDPR was not applicable in this case, Facebook was hit with a £500,000 fine under the Data Protection Act of 1988, but Facebook’s troubles didn’t stop there. In September 2018, Facebook discovered a breach that allowed hackers to take advantage of a vulnerability in the Facebook platform and steal the access tokens for over 50 million users. In December, another issue was notified to the public where users’ private photos were made available to applications for nearly 2 weeks. Although the bug was fixed in September, Facebook did not alert users for nearly three months.
The world also saw several smaller fines being dealt by the data protection authorities including a fine to the Rousseau platform from the Italian Data Protection Authority, the Garante, for €50,000 due to a lack of technical and organisational measures and a fine being issued by the Polish Supervisory Authority to a data broker for the amount of €220,000 for the illegal processing of data. The fines are expected to continue in 2019 with the office of the Data Protection Commission currently conducting 50 investigations with 17 of those investigations currently in multinational technology companies headquartered in Ireland, 8 of those being Facebook.
Fines are not the biggest impact that Smarttech247 has seen over the last 12 months. Huge changes are arising in company cultures and attitudes towards data protection. Organisations are now more transparent about their processing and data subjects are taking full advantage of having control of their data. Companies are owning their GDPR compliance, enforcing more risk aware cultures across the board and ensuring the message of responsibility comes from the top. The GDPR is a constant topic of conversation on social media platforms as the public continues to grasps the new benefits and drive awareness to non-compliance and the regulation itself.
As GDPR made its presence known around the world, other countries began to follow suit in reinventing their data protection laws. The California Consumer Privacy Act (CCPA) was adopted on the 28th of June 2018 and is considered to be one of the most comprehensive data privacy regulations in the United States. Coming in effect on the 1st of January 2020, the Act provides consumers the right to access, opt out and deletion as well as broadening the definition of personal data. This has been followed by 11 other states who have introduced similar legislation as well as other countries around the world such as China and the Philippines.
Although the regulation was initially brought in to protect the personal data of EU based individuals, it has conjured several unexpected outcomes, benefiting the companies complying with the obligations. The practical activities associated with the legislation are giving companies a more in-depth view to their practices and data than ever before. The Personal data inventory alerts companies to the data they are actually collecting versus what they thought they were collecting. Privacy Impact Assessments force companies to consider the risks associated with projects from the outset and consider privacy by design and by default. It has led to better decision making, a better insight to the practices of suppliers and improved customer confidence.
As much as we love to focus on the positive outcomes from the GDPR, there are still downfalls. There are companies currently processing data that are unaware of their responsibilities towards the regulation, spiralling compliance costs, excessive use and scaremongering. Companies continue to use GDPR as an excuse or a coverup to excessive processing of data, hiding them in long-winded terms and conditions. Misinterpretation remains a prominent issue as scaremongering is taken as accurate information and non-clarification of essential definitions leaves organisations confused. Organisations are taking compliance into their own hands, not fully understanding the regulation and either not meeting requirements or going over-the-top thinking they need to comply with every element. As time goes on and rulings are implemented, the expectations will be clarified and excessive use, misinterpretation and scaremongering will lessen but I think its fair to say that there are companies out there that will try and find loopholes within the regulation.
It is probable that GDPR, its benefits, its disadvantages and unexpected outcomes will become even more prominent over the next 12 months. It is certain we will see more breaches and more fines but here at Smarttech247, we are hoping for an overall change in attitude towards the protection of personal data in every industry. The General Data Protection Regulation was feared by many organisations but we feel it has brought huge benefits to not only the data subjects but to businesses, too. Data is essential to conducting business, but maintaining its confidentiality, integrity and availability is essential to gaining your clients’ trust.