The one-year anniversary of the implementation of the General Data Protection Regulation (GDPR) recently passed, a significant milestone in data privacy and user protection. The GDPR is a piece of EU legislation with the main purpose to protect users and their data. Lawmakers wanted to implement better controls over companies’ access to and right to store their users’ data.
After four years of preparation, it was approved by the EU Parliament on April 14, 2016, and went into effect on May 25, 2018. It is the largest legislation of its kind and has had a far-reaching effect, extending beyond the borders of the EU. In honor of this monumental legislation, we put together an overview of the GDPR, its impact and a forecast for the future.
Get the Free Essential Guide to US Data Protection Compliance and Regulations
- Goals of the GDPR
- Impact of the GDPR
- GDPR Enforcement
- GDPR Compliance Checklist
- Future of the GDPR
- 7 Lessons Learned Infographic
Goals of the GDPR
There are three main goals of the GDPR that can be broken down into: 1) protecting the rights of users in regards to their data, 2) ensuring that data privacy laws keep up with the ever-changing landscape of technology, and 3) creating unified and consistent legislation across the EU. Some of the specific cases that fall under those categories can be seen below.
Protection of Users’ Privacy Rights
These conditions cover a user’s right to control if they want to share their personal data with a company and what type of data they share.
- Consent — Companies must obtain clear consent from the user before collecting, storing or distributing their data.
- Documentation — If holding an individual’s information, companies must keep detailed documentation about what data is being held, where it came from, how it was accessed, how it’s being processed and the purpose of holding the data.
- Access to Information — Users have the right to request the clear and detailed documentation of what’s being held in a company’s database. Companies need to be able to provide all of this information within a 30-day window.
- Data Erasure — Data subjects have the right to request that companies remove their personal data from their databases. Once erasure is requested, the company must comply and provide documentation that the data has been removed.
- Data Changes — Users can request that inaccurate stored information be adjusted and corrected.
- Objections — Data subjects can object to how their data is used in regards to race, ethnicity, sexual orientation, gender, political views, religious beliefs and other types of profiling.
Impact of the GDPR
All of the regulations laid out above apply to any and all businesses that interact or do business with EU citizens. This means the effects of the GDPR’s legislation surpass the EU, affecting US, Chinese and other non-EU companies who do business with EU citizens.
GDPR Effect Overview
This legislation has had widespread effects across different industries and has had some unexpected and expected results come out of its first year. We will go into these effects in deeper detail below, but here is an overview:
- Changing the landscape of data protection — The GDPR put a large spotlight on data protection and it’s being taken much more seriously across the board.
- The California Consumer Privacy Act (CCPA) was signed into law in June 2018
- More countries and US states are expected to follow in the GDPR’s footsteps with similar legislation
- Greater reliance on third parties and data experts — There has been increased hiring around data protection and GDPR law advice.
- $9 billion spent on GDPR prep
- 500,000 Data Protection Officers are employed
- Businesses were overall unprepared — Due to the strict penalties and open-ended nature of the legislation, very few companies felt confident in their level of compliance.
- By December 2018, only 50% of companies believed they were GDPR compliant
- 1 in 5 companies thought full compliance was impossible
- Fewer fines have been given than expected — It seems as though this first year has been somewhat of a grace period as everyone continues to adjust their practices.
- $63 million in fines issued
- $57 million of that issued to Google
- Enforcement agencies overwhelmed with scope — There seem to be staffing shortages that hindered some agencies from keeping up with complaints and notifications.
- 144,000 complaints filed
- 89,000 data breaches recorded
- 37% of GDPR cases are still pending, 63% are closed
- Mixed feelings among consumers — Even though this legislation aims to protect consumers, questions about its enforcement leave opinions split.
- 45% of EU citizens are still concerned about their data privacy
- 62% of UK consumers feel more comfortable sharing their data
There are two other options for those that don’t want to go through the trouble of making all their data and processing GDPR-compliant. Businesses can decide to completely cut ties with EU citizens or get rid of all of their non-compliant data.
- About 1,000 news sources blocked EU readers to avoid complying with the GDPR.
- Many businesses decided to start fresh and dumped data instead of adjusting the data to meet GDPR compliance.
Businesses are referred to as controllers because they are the ones who are responsible for protecting the data of their consumers. Many supporters of the GDPR were hopeful that the legislation would rein in the power of tech giants like Google, Amazon, Facebook and Apple (known collectively as GAFA). When this legislation came out it was a huge wake-up call to Silicon Valley, where tech companies rely heavily on free personal data harvesting.
Luckily for them, this first year was somewhat of a transition period and most got off scot-free or with a warning. Even Google’s $57 million fine was more of a slap on the wrist when compared to its $136.22 billion 2018 revenue. Some have pointed out that the biggest financial effect has hit smaller businesses who don’t necessarily have the same resources to adapt their practices quickly like the bigger companies.
- Businesses spent $1.3 million on average to meet compliance requirements and are expected to put in an additional $1.8 million according to a survey by IAAP.
- After all of these investments, fewer than 50% of businesses are compliant, but 4 in 5 are working towards meeting requirements.
- For the 1 in 5 businesses who choose noncompliance, their options are: incur penalties or cut ties with all EU customers and users.
Supplementary Agencies (Marketing and Law)
Aside from the businesses that deal directly with consumers, there were ripple effects that hit other agencies involved in marketing and law. Businesses had to bolster their legal teams and seek advice about how to navigate the GDPR’s somewhat vague wording. Even big companies with large legal teams must seek outside help as they don’t have expertise in data privacy. Most smaller businesses have the same potential penalties looming over them and ultimately need to seek legal advice as well.
- Legal advice and teams cost UK FTSE 350 companies about 40% of their GDPR budget or $2.4 million.
This huge shift in spending for the GDPR, while important to meet compliance laws, also means that companies’ budgets changed a lot as well. The funds spent to keep up with and prepare for the GDPR arguably could’ve been allocated into different company programs and initiatives. Now that the GDPR has gone into effect, compliant companies will likely always have a budget to handle data privacy. Massive spending has gone into the GDPR since it was announced back in 2016. US companies had to spend a lot more than European companies because the EU already had some regulations in place which made the transition easier for EU-based companies.
- Large UK companies spent $1.1 billion collectively on GDPR prep.
- Big American companies spent $7.8 billion on GDPR prep.
The GDPR has also had an effect on how marketers do their jobs. Firms and in-house marketing teams need to be aware of the data they use and how they collect data. Many marketers are nervous about potential fines and worry about inflicting penalties on their clients or themselves.
- 52.8% of US digital marketers fear that government regulation/threat of regulation may impede data-driven marketing and media initiatives.
Users (Data Subjects)
Users arguably have the upper hand in these digital exchanges, where that wasn’t always the case. It depends, of course, on a company’s adherence to the policies. Users interacting with GDPR-compliant sites and companies have better control over their internet experience.
- 45% of EU citizens still don’t feel confident in their internet privacy.
According to a survey of UK consumers by DMA:
- 62% of UK consumers said they feel more comfortable sharing their data with these laws in place.
- Consumers have a greater opportunity to tailor the types of advertisements and offers they receive — 57% of these consumers do prefer personalized forms of marketing.
When it comes to the implementation of the GDPR and the effects on user experience over the past year:
- 31% of consumers feel their overall experience with companies has improved, according to a survey by Marketing Week.
- The same survey concluded that 25% saw notably more relevant email marketing while 37% didn’t see a difference.
Data Protection Officers + Auditors (Enforcers)
The GDPR also caused a huge growth in the demand for Data Protection Officers (DPOs). One aspect of the GDPR requires that large companies have an employee or team dedicated to data protection. DPO salaries usually land in the range of $86,000–$140,000.
Back in April 2016, there were 13 DPO job postings per million job postings. Just a year and a half later in October 2017, there were 103 DPO job postings per million — a 692% increase in 18 months. However, it’s hard to track exact demand to date because some companies have shifted existing employees into such roles or choose to outsource to an agency. In 2019, there are now half a million DPOs employed compared to the 75,000–83,000 that had been estimated back in 2017.
- Since 2016, the demand for Data Protection Officers (DPOs) has skyrocketed and risen over 700%.
- There are now 500,000 DPOs employed (6x more than forecasted back in 2017).
The main enforcers/regulators of the GDPR include:
- The European Commission (EC)
- European Data Protection Board (EDPB)
- The 28 EU Member States — each country has an agency to help regulate the GDPR
These auditing agencies have had a hard time keeping up with enforcement and investigations due to the volume of businesses, complaints and insufficient staffing. We’ll explore the effectiveness and enforcement of the GDPR in more detail below.
Was the GDPR Enforced Since Its Enactment?
Many have been unimpressed with the enforcement of the GDPR. This mainly includes companies that put a lot of resources into becoming compliant in time for the law’s enactment and those consumers who wanted to see non-compliant companies get slapped with big fines. However, most consumers are pleased with the precedent of data protection that the GDPR has set.
Companies under GDPR jurisdiction who don’t comply with the legislation requirements are subject to penalties and large fines. Consumers and compliant businesses are looking for more widespread enforcement and fines.
As stated in Article 83, noncompliance can be met with fines as high as “20,000,000 EUR, or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.” No company (aside from Google) incurred fees that large, but auditing agencies made an example out of two tech tycoons, Google and Facebook:
- There were $63 million of fines issued during the first year of the GDPR.
- 65,000 data breaches were reported to the European Data Protection Board (EDPB).
- Google was hit with a fee of $57 million for not making it clear to users how they were harvesting data from the Google search engine, YouTube and Google Maps for personalized ads. This fine only amounts to .04% of Google’s yearly revenue.
- Facebook has been hit with many potential fines and has set aside $3 billion in anticipation of the fees for mishandling passwords and other noncompliance complaints.
- Facebook paid a $645,150 fine for the Cambridge Analytica scandal, which happened before the GDPR was enacted, and they are still under investigation for more potential fines.
Through all of the data privacy complaints that have been filed, few have resulted in the headline-catching fines seen above. In fact, many believe the fines thus far have been a slap on the wrist. In response to the required 72-hour data breach reporting period, over-reporting reached an all-time high as people feared penalties and rushed to report.
- The ICO dealt with companies over-reporting data breaches as they received about 500 calls a week.
- There have been 144,000 complaints filed with various GDPR enforcement agencies and 89,000 data breaches recorded. 37% are still pending investigation or penalties.
GDPR Compliance Checklist
If you aren’t sure about the effectiveness of your organization’s compliance, go through the points laid out in the checklist above. Taking the extra time and resources to become fully compliant is worth it in the long run to avoid violations, fines and reputational repercussions.
Forecasting the Future of the GDPR
There are still many unanswered questions when it comes to the GDPR. It has undoubtedly made a huge mark on our digital media and marketplaces and will impact the future. In spite of the questions we have, there are some conclusions and predictions that can be made based off of its first year.
More Global Data Privacy Legislation
The California Consumer Protection Act (CCPA) was a huge sign of the legislation trends that we can expect in the future. There is a global dialogue about whether or not data privacy laws are a good idea and if so, what they should look like. Other countries and US states are expected to follow in the footsteps of the GDPR and the CCPA.
Greater GDPR Enforcement
This first year of GDPR has been somewhat of a grace period as far as enforcement leniency. In the coming years, there will be increased crack-downs on non-compliance. This won’t only focus on the big companies but will go after smaller and medium-sized businesses too. Successful enforcement is dependent upon agencies increasing staffing and methods of regulation.
More Budget in Data Security
With more legislation and crackdowns on non-compliance, companies will continue to funnel funds into their data security sectors. This could mean continued job growth for Data Protection Officers as well as other data security jobs. The flipside of these budget shifts is that companies will theoretically have fewer funds for other company development sectors.
Changes in Marketing
Marketers have relied heavily on the personalized data gathered from our internet practices and tendencies to find target markets and shape their campaigns. They will have to get explicit permission to use personal data and be clear about how they gather that information. The changes and increased barriers brought by data privacy laws may turn some in-house marketing teams and agencies back to traditional marketing methods.
Shifts in How Sites Make Money
Many sites charge their users nothing to use their site but will pay to keep everything running by selling data about their users to advertisers. These sites are sometimes known as “freemium” sites. Some speculate that there may be an increase in sites charging for memberships and subscriptions to maintain their sites without the free data.
7 Lessons Learned from the GDPR
To sum up what we’ve learned from the GDPR over the past year, we put together a list of our top seven takeaways. Click the download button below to download the full infographic with an overview of the GDPR and the lessons we learned and tips to improve moving forward.
- There’s a lot at stake: Study the legislation and hire an expert
- Communication is vital: Keep your team and partners updated
- Mistake or intentional, it doesn’t matter: Take ownership of your data
- Auditors take cooperation into account: Report errors promptly
- Customers’ voices make an impact: Listen to feedback
- Clarity is essential: Make it easy on users
- Legislation and technology will evolve: Constantly improve
Even though the GDPR has had mixed reviews and results, almost everyone can agree that it is a step in the right direction for data security and privacy. Most agree that their online data is an extension of themselves which gives everyone the right to govern their personal data.
It’s important to keep in mind that there are side effects to rapid policy change without a proper time frame to prepare and adjust. The best course of action may not be the most apparent. The end goal of data privacy legislation is to create an online space that is secure and respects individual privacy. The question that remains: which route is the best and most efficient?
Sources: Business Insider | CA Privacy | DMA | European Commission | EU Journal | EU Parliament | EDPB | eMarketer | Facebook Financials | Forbes | GDPR Report | IAPP | JD Supra | Marketing Week | New York Times | Nieman Lab | Reuters | Survey Monkey
What you should do now
Below are three ways we can help you begin your journey to reducing data risk at your company:
- Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
- Download our free report and learn the risks associated with SaaS data exposure.
- Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Reddit, or Facebook.
Rob Sobers is a software engineer specializing in web security and is the co-author of the book Learn Ruby the Hard Way.