Since taking effect a year ago on May 25, 2018, the General Data Protection Regulation (GDPR) put in place by the European Union to protect citizens’ personal privacy has led to more than 95,000 complaints with national data protection authorities (DPAs), the European Commission has reported.
To recap, GDPR impacts data related to EU citizens no matter where that data is collected, stored, processed, and accessed. That means U.S. and Canadian databases containing EU citizen information fall under GDPR. For more background information, see my previous posts:
GDPR by the Numbers
The EU Commission summarized GDPR developments through January 2019 in an infographic, available
here. Among the findings presented:
- The most common types of complaints reported are telemarketing, promotional emails, and video surveillance/CCTV
- More than 40,000 data breach notifications were reported across the EU
- There are 255 ongoing investigations of cross-border GDPR violations
Enforcing the Rules
GDPR investigations can be initiated by a national Supervisory Authority or reported through a citizen complaint. When a violation is proven, the sanctions can range from reprimands to fines. Fines depend on the data sensitivity, the nature of the violation, the harm to citizens, and the severity of the violation. Fines are based on the organization’s global annual turnover of the preceding financial year, and can reach up to 4% or €20 million (the greater) for non-compliance, and 2% or €10 million (the greater) for lesser violations.
The GDPR permits legal recourse for citizens whose rights have been violated. Recourse includes the right to bring a private cause of action for material or non-material damages resulting from a violation or the right to pursue collective actions. The EU Commission reported that three fines were issued for GDPR violations. The largest fine was for €50 million for processing personal data without consent.
Organizational Impact
Following GDPR hasn’t been as bad for marketers as feared, according to Lineate, a transaction processing firm, in the
piece, “GDPR One Year Later: Differences, Similarities, and Lessons Learned.” GDPR has stimulated the growth of online data collection tools, including data orchestration systems that can help organizations organize, parse, and disseminate data while ensuring regulation compliance.
GDPR has stimulated organizations to reframe and update their customer-facing images. Organizations can use the data for the benefit of the customer. This provides customers with the ability to communicate when they want, in their chosen format, with relevant messaging. The result should be that customers can trust that their data is being used responsibly. This should be an improvement; consider 2016
data from TrustArc and the National Cyber Security Alliance showing that 92% of U.S. Internet users worry about their privacy online, 89% avoid companies that don’t protect their privacy, and 60% think online privacy should be a human right.
Expect to see more fines in 2019 from France and Germany, both of which have been especially proactive with regulation enforcement.
Not All Compliance Is Even
The GDPR regulations aren’t applied evenly, as suggested in the Politico
article, “How one country blocks the world on data privacy.”
As of April’s end, the designated lead regulator for Ireland hasn’t brought an enforcement action, Politico reported. Ireland has a long history of engaging with the companies it’s supposed to oversee with promises of low taxes, open access to high level officials, and securing funds to build new headquarters.
Ireland’s commitment to safely store and control personal information looms larger now that the country is the primary regulator responsible for protecting the health data, email addresses, financial records, relationship status, search histories, and friend lists for hundreds of millions of citizens around the world, the article stated. Ireland continues to apply a more corporate-friendly approach to regulation than other EU members, thereby favoring negotiation over sanctions and lists of questions vs. on-site inspections, the report said.
Dos and Don’ts
- Appoint an Article 27 representative -- If you’re offering goods or services directly to EU citizens and you’re located in the EU, you’re required to appoint an Article 27 representative for your organization. Article 27 representatives are responsible for EU-based data and must communicate on the organization’s behalf to EU authorities.
- Consider your personal staff data -- The GDPR covers all EU citizens, including your employees. Don’t forget to update your internal systems for tracking and processing staff data.
- One department isn’t enough -- The IT department will have to implement the GDPR regulations. You should engage your staff at multiple levels through training that explains how GDPR affects them, the business, and your customers.
- Size doesn’t matter -- Any organization that processes the personal data of EU citizens must be GDPR-compliant.
Organizations need a loyal customer base that trusts its relationship with that organization. It’s important that an organization has the tools to comply with the GDPR regulations, especially the ability to easily remove any citizen information as requested and opt-out.