It’s been a year since GDPR (General Data Protection Regulation) went into effect in the European Union. At the time it was enacted, organizations weren’t sure what to expect. Some feared it, some ignored it, and few were prepared for it.
Many organizations have still not complied. Others are facing substantial fines for violating provisions of GDPR. For consumers, there have been both positive and negative consequences.
Prior to GDPR adoption, there was little in the way of privacy regulations that had any significant enforcement power. The Data Protection Directive 95/46/EC (DPD), enacted in October 1995, was the first attempt by the EU to standardize data protection laws and personal data collection. GDPR strengthened provisions, including authorizing fines of up to $25 million dollars or 4 percent of annual global turnover (revenue) from the previous year.
The full text of the General Data Protection Regulation includes 99 GDPR articles addressing the rights of individuals and the obligations of organizations. The GDPR impacted nearly every company regardless of where they are based: If they did business in the EU, or have a web presence accessible by EU residents, they were included in the regulations.
Key Provisions of GDPR
The six key principles of GDPR focused on the handling of personal data:
- Data must be handled lawfully, fairly, and transparently
- Data can only be collected for outright and sincere purposes
- Data can only be collected for the purpose of the business function
- Personal data must be kept current and be accurate
- Organizations may no longer retain the data if the business purpose no longer exists
- Data must be protected and remain confidential
Beyond the six key principles, GDPR detailed specific regulations that must be followed as well as the consequences for failing to do so. Not only do organizations have to comply with the regulations, but also they have to demonstrate their compliance. This accountability – or lack thereof – forms the basis for potential fines.
Read more about GDPR requirements.
GDPR Impact: 2019
GDPR has raised awareness of data privacy and rights worldwide. Companies have generally done a better job of reporting breaches (as required). A GDPR Impact Assessment shows the number of self-reported breaches has nearly doubled since before the rules went into effect.
Use of third-party cookies has dropped significantly. There were 22 percent fewer third-party cookies per page across European news sites, according to a Reuters analysis.
The GDPR Impact on business is being felt. Many are still struggling with compliance. Rather than comply, more than 1,000 news publishers have blocked access from EU visitors. Among the GDPR’s negative effects are this restricted access for EU residents. Similarly, it also limited choices for apps for EU residents as companies pulled non-compliant apps from EU access.
It’s not just businesses that struggle with compliance. A study of educational facilities in the UK one year after GDPR adoption, for example, shows that more than half of UK schools and colleges are not meeting compliance standards.
Ad rates have increased in the U.S. as some advertisers pulled ad placements from the EU fearing concerns and invested it in the U.S. instead. Ad rates in the EU have dropped as targeting data is less accessible. With less access to third-party data ad targeting, use of contextual targeting has increased. Rather than targeting using consumer data, contextual advertising places ads relevant to the subject of the content.
Facebook reported the loss of nearly 1 million monthly active users in Europe due to the implementation of GDPR.
GDPR compliance also triggered other actions that benefited consumers. With fewer cookies, third-party features such as ad servers, and social media plugins, page load speeds increased.
GDPR Fines And Enforcement
Authorities across Europe have received nearly 100,000 complaints since the law went into effect, involving 60,000 data breaches. That has resulted in more than 90 fine, including a $57 million fine for Google. Facebook is anticipating a $2.2 billion fine under GDPR.
GDPR regulators expect more fines in the future. Learn how you can establish your own GDPR compliance program to avoid these fines. You can also use our GDPR checklist to help you assess your practices and implement changes.
Read more about GDPR Fines.
The Future Of GDPR
More than half of those surveyed believe their personal information is less secure overall than it was five years ago. In addition, 91 percent agreed that consumers have lost control of how their personal information is collected and used by companies. GDPR aimed to change that. By heightening the world’s attention on privacy and data security, the regulations focused that attention and paved the way for other countries to address the issue.
Data regulations are spreading. Brazil’s new General Data Privacy law follows provisions of GDPR. Canada updated its Personal Information Protection and Electronic Documents Act (PIPEDA) to include GDPR-like provisions regarding breaches and notifications. India is looking at its own Personal Data Protection Bill and even China is evaluating regulations.
There is no comprehensive federal law that regulates the collection and use of personal information in the United States, but several states are taking action. California’s Consumer Privacy Act is set to take effect in January 2020. Like GDPR, most companies (86%) are not ready. Regulations similar to California’s act is making its way through the government approval process in New York, North Dakota, Utah, Washington, and Massachusetts. Illinois is addressing the collection of biometric data.
The EU commission has now recognized these countries as providing adequate protections:
- Faroe Islands
- Isle of Man
- New Zealand
What's Next for GDPR
The GDPR impact so far is still evolving. As we move forward, you can count on three things to happen as privacy and data security will continue to be under the microscope:
- More countries will adopt stricter regulations for privacy and data handling
- More audits and fines will be levied
- Regulators will look at additional ways to protect consumers, such as PSD2, which focuses on electronic payments and open banking
Want more? Read...