In early 2018, many legal and privacy experts hailed the European Union’s General Data Protection Regulation (GDPR) as the most important legislation of the past 20 years. Companies worldwide panicked, terrified the slightest infractions could lead to hefty GDPR fines and serious damage to brand reputation. While this hasn’t fully materialized, presentations and discussions at our recent annual CGOC Regional Meeting in New York demonstrated that companies of all sizes doing business in Europe cannot afford to be complacent.
GDPR is still young and both companies and regulators are still figuring out how it should work. Companies that rushed to comply with GDPR mandates in late 2017 and early 2018 report little evidence of enforcement. For example, a survey by global law firm DLA Piper found that while the number of reported data breaches over the last year increased to over 59,000, only 91 resulted in fines.
In January of 2019, France’s data protection authority, National Commission on Informatics and Liberty (CNIL), fined Google €50,000,000 for a lack of transparency and consent in advertising personalization. But in general, GDPR fines across Europe have been small and infrequent. In Germany, data protection authorities issued just 41 fines for violations of the GDPR through mid-January, and the largest single fine was about $91,000. Other notable actions involved a Portuguese hospital network, an Austrian betting site, and a German social media and chat network, but those fines were only a few thousand dollars each.
Still, smart businesses are holding their breath in anticipation of the inevitable increase in GDPR enforcement and impact.
For example, according to the Irish Data Protection Commission, while its investigations have taken significant time, they include complaints against Twitter, WhatsApp, Instagram, LinkedIn and Apple—with seven separate probes involving Facebook. The commission expects to levy substantial fines this summer. In the U.S., Facebook anticipates a $5 billion privacy-related fine from the Federal Trade Commission.
The broader impact of the GDPR is the rise of privacy regulations around the world, including Australia, Brazil, Canada and Thailand. In the U.S., the GDPR has inspired the California Consumer Privacy Act (CCPA), which takes effect in January 2020, along with a patchwork of 12 other states passing privacy legislation and Congressional movement on a federal privacy bill.
While consumers may be happy about the momentum toward greater privacy, many organizations remain confused about GDPR requirements, and only 27 percent of U.S. companies are GDPR compliant (with only 14 percent CCPA compliant).
Privacy experts I speak with lament that the country-by-country GDPR data protection agency pronouncements mean we cannot count on these authorities to offer clear guidance. Further, the potential for individual executive liability and time-consuming complaints raised by consumers and employees create significant uncertainty. The following articles form a compelling narrative that the situation will not improve soon:
On the flip side, companies embracing privacy as an eventual core competency are reaping benefits.
Many organizations appreciate the GDPR for providing leverage for the privacy office to accelerate program development. Privacy programs have the attention of the board and executive leadership, and privacy teams that got zero attention in 2015 are now top of mind, which means budgets are easier to come by.
Even more important, because the GDPR has expanded the definition of personal data, organizations have had to adjust their data classification standards and do a far better job of knowing where all their information is—while still ensuring business efficiency. Some companies have established a centralized individual rights team as part of GDPR prep to help smooth out the process and keep it sustainable. These efforts have forged tighter relationships among privacy teams, other information stakeholders, and IT, leading to improved collaboration and new investments in technology and automation that support the privacy effort as well as the broader information governance program. The GDPR has also led to new types of technologies and service providers that are answering the call to make complying with privacy regulations easier.
If you’d like to learn how information governance can support data privacy compliance, consider downloading the CGOC Information Governance Process Maturity Model. If you prefer on-demand resources, you can learn more here.
Not a member? Join the community
Already a member? Sign in
Become a CGOC Member and have access to resources, white papers, surveys, proceedings, and practice tools such as the Information Economic Process Assessment Kit. CGOC Members receive first priority to regional CGOC executive meetings around the world.
Asterisks (*) indicate fields required for registration