Live Cyber Attack Lab 🎯 Watch our IR team detect & respond to a rogue insider trying to steal data! Choose a Session

X

A Year in the Life of the GDPR: Must-Know Stats and Takeaways

Compliance & Regulation

illustration of a pad lock with the EU stars around it

The one-year anniversary of the implementation of the General Data Protection Regulation (GDPR) recently passed, a significant milestone in data privacy and user protection. The GDPR is a piece of EU legislation with the main purpose to protect users and their data. Lawmakers wanted to implement better controls over companies’ access to and right to store their users’ data. 

After four years of preparation, it was approved by the EU Parliament on April 14, 2016, and went into effect on May 25, 2018. It is the largest legislation of its kind and has had a far-reaching effect, extending beyond the borders of the EU. In honor of this monumental legislation, we put together an overview of the GDPR, its impact and a forecast for the future. 

Goals of the GDPR

There are three main goals of the GDPR that can be broken down into: 1) protecting the rights of users in regards to their data, 2) ensuring that data privacy laws keep up with the ever-changing landscape of technology, and 3) creating unified and consistent legislation across the EU. Some of the specific cases that fall under those categories can be seen below.

Protection of Users’ Privacy Rights

Title: GDPR Users’ Privacy Rights Consent — Companies need clear consent before collecting, storing or giving users’ data Documentation — Companies must keep detailed documentation of their stored data Access to Information — Users can request documentation of their data being held Data Erasure — Users have the right to request the removal of their personal data Data Changes — Users can request that inaccurate stored information be corrected Objections — Data subjects can object to how their data is used

These conditions cover a user’s right to control if they want to share their personal data with a company and what type of data they share. 

  • Consent — Companies must obtain clear consent from the user before collecting, storing or distributing their data. 
  • DocumentationIf holding an individual’s information, companies must keep detailed documentation about what data is being held, where it came from, how it was accessed, how it’s being processed and the purpose of holding the data.  
  • Access to Information Users have the right to request the clear and detailed documentation of what’s being held in a company’s database. Companies need to be able to provide all of this information within a 30-day window.
  • Data ErasureData subjects have the right to request that companies remove their personal data from their databases. Once erasure is requested, the company must comply and provide documentation that the data has been removed.
  • Data ChangesUsers can request that inaccurate stored information be adjusted and corrected.
  • Objections — Data subjects can object to how their data is used in regards to race, ethnicity, sexual orientation, gender, political views, religious beliefs and other types of profiling. 

Impact of the GDPR

All of the regulations laid out above apply to any and all businesses that interact or do business with EU citizens. This means the effects of the GDPR’s legislation surpass the EU, affecting US, Chinese and other non-EU companies who do business with EU citizens.

GDPR Effect Overview

This legislation has had widespread effects across different industries and has had some unexpected and expected results come out of its first year. We will go into these effects in deeper detail below, but here is an overview:

  • Changing the landscape of data protection — The GDPR put a large spotlight on data protection and it’s being taken much more seriously across the board.
    • The California Consumer Privacy Act (CCPA) was signed into law in June 2018
    • More countries and US states are expected to follow in the GDPR’s footsteps with similar legislation
  • Greater reliance on third parties and data experts — There has been increased hiring around data protection and GDPR law advice.
    • $9 billion spent on GDPR prep
    • 500,000 Data Protection Officers are employed
  • Businesses were overall unprepared — Due to the strict penalties and open-ended nature of the legislation, very few companies felt confident in their level of compliance.
    • By December 2018, only 50% of companies believed they were GDPR compliant
    • 1 in 5 companies thought full compliance was impossible
  • Fewer fines have been given than expected — It seems as though this first year has been somewhat of a grace period as everyone continues to adjust their practices.
    • $63 million in fines issued
    • $57 million of that issued to Google 
  • Enforcement agencies overwhelmed with scope — There seem to be staffing shortages that hindered some agencies from keeping up with complaints and notifications.
    • 144,000 complaints filed
    • 89,000 data breaches recorded
    • 37% of GDPR cases are still pending, 63% are closed
  • Mixed feelings among consumers — Even though this legislation aims to protect consumers, questions about its enforcement leave opinions split.
    • 45% of EU citizens are still concerned about their data privacy
    • 62% of UK consumers feel more comfortable sharing their data 

Choosing Non-compliance

There are two other options for those that don’t want to go through the trouble of making all their data and processing GDPR-compliant. Businesses can decide to completely cut ties with EU citizens or get rid of all of their non-compliant data.

  • About 1,000 news sources blocked EU readers to avoid complying with the GDPR.
  • Many businesses decided to start fresh and dumped data instead of adjusting the data to meet GDPR compliance.

Businesses (Controllers)

Large UK companies spent $1.1 billion collectively on GDPR prep. Big American companies spent $7.8 billion on GDPR prep.

Businesses are referred to as controllers because they are the ones who are responsible for protecting the data of their consumers. Many supporters of the GDPR were hopeful that the legislation would rein in the power of tech giants like Google, Amazon, Facebook and Apple (known collectively as GAFA). When this legislation came out it was a huge wake-up call to Silicon Valley, where tech companies rely heavily on free personal data harvesting. 

Luckily for them, this first year was somewhat of a transition period and most got off scot-free or with a warning. Even Google’s $57 million fine was more of a slap on the wrist when compared to its $136.22 billion 2018 revenue. Some have pointed out that the biggest financial effect has hit smaller businesses who don’t necessarily have the same resources to adapt their practices quickly like the bigger companies. 

  • Businesses spent $1.3 million on average to meet compliance requirements and are expected to put in an additional $1.8 million according to a survey by IAAP.
  • After all of these investments, fewer than 50% of businesses are compliant, but 4 in 5 are working towards meeting requirements.
  • For the 1 in 5 businesses who choose noncompliance, their options are: incur penalties or cut ties with all EU customers and users.

Supplementary Agencies (Marketing and Law)

Aside from the businesses that deal directly with consumers, there were ripple effects that hit other agencies involved in marketing and law. Businesses had to bolster their legal teams and seek advice about how to navigate the GDPR’s somewhat vague wording. Even big companies with large legal teams must seek outside help as they don’t have expertise in data privacy. Most smaller businesses have the same potential penalties looming over them and ultimately need to seek legal advice as well.

This huge shift in spending for the GDPR, while important to meet compliance laws, also means that companies’ budgets changed a lot as well. The funds spent to keep up with and prepare for the GDPR arguably could’ve been allocated into different company programs and initiatives. Now that the GDPR has gone into effect, compliant companies will likely always have a budget to handle data privacy. Massive spending has gone into the GDPR since it was announced back in 2016. US companies had to spend a lot more than European companies because the EU already had some regulations in place which made the transition easier for EU-based companies.

  • Large UK companies spent $1.1 billion collectively on GDPR prep.
  • Big American companies spent $7.8 billion on GDPR prep.

The GDPR has also had an effect on how marketers do their jobs. Firms and in-house marketing teams need to be aware of the data they use and how they collect data. Many marketers are nervous about potential fines and worry about inflicting penalties on their clients or themselves. 

  • 52.8% of US digital marketers fear that government regulation/threat of regulation may impede data-driven marketing and media initiatives.   

Users (Data Subjects)

45% of EU citizens still don’t feel confident in their internet privacy. 62% of UK users feel more comfortable sharing their data with the GDPR in place.

Users arguably have the upper hand in these digital exchanges, where that wasn’t always the case. It depends, of course, on a company’s adherence to the policies. Users interacting with GDPR-compliant sites and companies have better control over their internet experience. 

There are still mixed feelings among consumers though. Some were overwhelmed by the deluge of privacy policy change emails and don’t really know where to start when changing their privacy settings. One year later, many EU citizens still doubt the effectiveness of this new legislation while others think it was a step forward.

According to a survey of UK consumers by DMA:

  • 62% of UK consumers said they feel more comfortable sharing their data with these laws in place.
  • Consumers have a greater opportunity to tailor the types of advertisements and offers they receive — 57% of these consumers do prefer personalized forms of marketing.

When it comes to the implementation of the GDPR and the effects on user experience over the past year:

  • 31% of consumers feel their overall experience with companies has improved, according to a survey by Marketing Week
  • The same survey concluded that 25% saw notably more relevant email marketing while 37% didn’t see a difference.

Data Protection Officers + Auditors (Enforcers)

Since 2016, the demand for Data Protection Officers (DPOs) has risen over 700%. There are now 500,000 DPOs employed (6x more than forecasted in 2017).

The GDPR also caused a huge growth in the demand for Data Protection Officers (DPOs). One aspect of the GDPR requires that large companies have an employee or team dedicated to data protection. DPO salaries usually land in the range of $86,000–$140,000. 

Back in April 2016, there were 13 DPO job postings per million job postings. Just a year and a half later in October 2017, there were 103 DPO job postings per million — a 692% increase in 18 months. However, it’s hard to track exact demand to date because some companies have shifted existing employees into such roles or choose to outsource to an agency. In 2019, there are now half a million DPOs employed compared to the 75,000–83,000 that had been estimated back in 2017.

  • Since 2016, the demand for Data Protection Officers (DPOs) has skyrocketed and risen over 700%.
  • There are now 500,000 DPOs employed (6x more than forecasted back in 2017).

The main enforcers/regulators of the GDPR include:

  • The European Commission (EC)
  • European Data Protection Board (EDPB)
  • The 28 EU Member States — each country has an agency to help regulate the GDPR 

These auditing agencies have had a hard time keeping up with enforcement and investigations due to the volume of businesses, complaints and insufficient staffing. We’ll explore the effectiveness and enforcement of the GDPR in more detail below. 

Was the GDPR Enforced Since Its Enactment?

Title: GDPR Enforcement Copy: In total there were $63 million of fines issued in the first year of the GDPR. Google was hit with a fee of $57 million for unclear data harvesting practices. There have been 144,000 complaints filed with various GDPR enforcement agencies and 89,000 data breaches recorded. 37% are still pending investigation or penalties.

Many have been unimpressed with the enforcement of the GDPR. This mainly includes companies that put a lot of resources into becoming compliant in time for the law’s enactment and those consumers who wanted to see non-compliant companies get slapped with big fines. However, most consumers are pleased with the precedent of data protection that the GDPR has set. 

Companies under GDPR  jurisdiction who don’t comply with the legislation requirements are subject to penalties and large fines. Consumers and compliant businesses are looking for more widespread enforcement and fines.

As stated in Article 83, noncompliance can be met with fines as high as “20,000,000 EUR, or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.” No company (aside from Google) incurred fees that large, but auditing agencies made an example out of two tech tycoons, Google and Facebook:

  • There were $63 million of fines issued during the first year of the GDPR. 
  • 65,000 data breaches were reported to the European Data Protection Board (EDPB).
  • Google was hit with a fee of $57 million for not making it clear to users how they were harvesting data from the Google search engine, YouTube and Google Maps for personalized ads. This fine only amounts to .04% of Google’s yearly revenue. 
  • Facebook has been hit with many potential fines and has set aside $3 billion in anticipation of the fees for mishandling passwords and other noncompliance complaints.
  • Facebook paid a $645,150 fine for the Cambridge Analytica scandal, which happened before the GDPR was enacted, and they are still under investigation for more potential fines.

Through all of the data privacy complaints that have been filed, few have resulted in the headline-catching fines seen above. In fact, many believe the fines thus far have been a slap on the wrist. In response to the required 72-hour data breach reporting period, over-reporting reached an all-time high as people feared penalties and rushed to report.  

  • The ICO dealt with companies over-reporting data breaches as they received about 500 calls a week. 
  • There have been 144,000 complaints filed with various GDPR enforcement agencies and 89,000 data breaches recorded. 37% are still pending investigation or penalties.

GDPR Compliance Checklist

Title: GDPR Audit Checklist Subtext: Use this checklist to make sure you’re prepared for anything the GDPR or other data protection policies have to throw at you. Copy: Information Audit — determine what info you store or process and who has access Legal Counsel — make sure that legal counsel has looked over your processing framework, methods and policies Appoint a DPO — hire or appoint a data protection officer (if necessary) or another employee to oversee data protection Consult Partners — make sure that you have privacy agreements with any third parties you work with Clear Privacy Policy — make sure your legally backed processes are laid out clearly for users User Access to Info — customers must be able to request and receive a list of all the info you have about them, amend any incorrect info and request that you remove info Data Encryption — anonymize and encrypt personal data wherever viable Internal Security — create an internal security policy and educate your team about it Internal Audits — stay on top of updates and make sure security is up to par Data Breach Plan — solidify a plan to quickly and efficiently notify authorities and users if a breach occurs

If you aren’t sure about the effectiveness of your organization’s compliance, go through the points laid out in the checklist above. Taking the extra time and resources to become fully compliant is worth it in the long run to avoid violations, fines and reputational repercussions.

Forecasting the Future of the GDPR

Illustration with text: Title: Future of the GDPR. Copy: More data privacy legislation (capitol building symbol), Greater GDPR enforcement (police vest and flashlight symbol), More budget in data security (a piggy bank symbol), Changes in marketing (a line graph illustration) Shifts in how sites make money (money bag symbol)

There are still many unanswered questions when it comes to the GDPR. It has undoubtedly made a huge mark on our digital media and marketplaces and will impact the future. In spite of the questions we have, there are some conclusions and predictions that can be made based off of its first year.

More Global Data Privacy Legislation 

The California Consumer Protection Act (CCPA) was a huge sign of the legislation trends that we can expect in the future. There is a global dialogue about whether or not data privacy laws are a good idea and if so, what they should look like. Other countries and US states are expected to follow in the footsteps of the GDPR and the CCPA.

Greater GDPR Enforcement

This first year of GDPR has been somewhat of a grace period as far as enforcement leniency. In the coming years, there will be increased crack-downs on non-compliance. This won’t only focus on the big companies but will go after smaller and medium-sized businesses too. Successful enforcement is dependent upon agencies increasing staffing and methods of regulation.

More Budget in Data Security  

With more legislation and crackdowns on non-compliance, companies will continue to funnel funds into their data security sectors. This could mean continued job growth for Data Protection Officers as well as other data security jobs. The flipside of these budget shifts is that companies will theoretically have fewer funds for other company development sectors.

Changes in Marketing

Marketers have relied heavily on the personalized data gathered from our internet practices and tendencies to find target markets and shape their campaigns. They will have to get explicit permission to use personal data and be clear about how they gather that information. The changes and increased barriers brought by data privacy laws may turn some in-house marketing teams and agencies back to traditional marketing methods.   

Shifts in How Sites Make Money

Many sites charge their users nothing to use their site but will pay to keep everything running by selling data about their users to advertisers. These sites are sometimes known as “freemium” sites. Some speculate that there may be an increase in sites charging for memberships and subscriptions to maintain their sites without the free data. 

7 Lessons Learned from the GDPR

To sum up what we’ve learned from the GDPR over the past year, we put together a list of our top seven takeaways. Click the download button below to download the full infographic with an overview of the GDPR and the lessons we learned and tips to improve moving forward. 

  1. There’s a lot at stake: Study the legislation and hire an expert
  2. Communication is vital: Keep your team and partners updated
  3. Mistake or intentional, it doesn’t matter: Take ownership of your data
  4. Auditors take cooperation into account: Report errors promptly  
  5. Customers’ voices make an impact: Listen to feedback 
  6. Clarity is essential: Make it easy on users 
  7. Legislation and technology will evolve: Constantly improve

navy and red click to download button to download the 7 lessons learned from the GDPR

 

Even though the GDPR has had mixed reviews and results, almost everyone can agree that it is a step in the right direction for data security and privacy. Most agree that their online data is an extension of themselves which gives everyone the right to govern their personal data. 

It’s important to keep in mind that there are side effects to rapid policy change without a proper time frame to prepare and adjust. The best course of action may not be the most apparent. The end goal of data privacy legislation is to create an online space that is secure and respects individual privacy. The question that remains: which route is the best and most efficient?

Sources: Business Insider | CA Privacy | DMA | European Commission | EU Journal | EU Parliament | EDPB | eMarketer | Facebook Financials | Forbes | GDPR Report | IAPP | JD Supra | Marketing Week | New York Times | Nieman Lab | Reuters | Survey Monkey 

Rob Sobers

Rob Sobers

Rob Sobers is a software engineer specializing in web security and is the co-author of the book Learn Ruby the Hard Way.

 

Does your cybersecurity start at the heart?

Get a highly customized data risk assessment run by engineers who are obsessed with data security.