Happy Birthday GDPR!
It seems like yesterday we were informing our customers that GDPR’s enforcement date was starting on May 25, 2018. You remember May 25, 2018…right? It was the day companies started to inundate you with re-consent emails, updated privacy communications and accept cookies notices. As we celebrate GDPR’s birthday I thought it’d be a good time to think about what’s happened in the last 12 months.
A Year Later…Where Does Privacy Rank?
Consumers continue to become more concerned about their data and privacy because of events like the Facebook Cambridge Analytica scandal and Google’s GDPR fine of €50 million for privacy violations.
In Q2 2018, Gartner ranked “GDPR” as number 3 on their emerging risk list. Fast forward to Q1 2019 and “Accelerating Privacy Regulation” is the top item on Gartner’s list. Organizations are finding out that complying with GDPR and other privacy regulations like the California Consumer Privacy Act (CCPA) is very challenging.
GDPR was just the start. Data protection is becoming more important as more countries think about user data protection. A number of countries have passed GDPR-like data protection laws or are currently developing GDPR-like legislation. For example, Brazil passed their GDPR (LGPD) law and it will go into effect in February 2020. China’s new National Standard on Personal Information Protection went into effect in May 2018 and Denmark passed the Danish Data Protection Act 2018 and enforcement started in January 2019.
What’s happening in the U.S.?
California’s CCPA will go into effect January 2020. In April 2019 the Texas legislature introduced two separate bills relating to the protection of personal information. In September 2018 the U.S. announced its plans to establish U.S. consumer privacy standards. The U.S. Department of Commerce has taken the lead to work collaboratively with the public and private sectors to develop frameworks for privacy. In January 2019, the US Government Accountability Office (GAO) provided reports recommending congress to develop internet data protection legislation to enhance consumer protections and there have been a number of U.S. Senate data privacy hearings in February and May 2019. Will there be a U.S. Federal privacy law passed in 2019? We’ll see as the year progresses.
Are U.S. Companies Adopting GDPR?
Many U.S. companies have started down the GDPR compliance path. However, many of these businesses are struggling with GDPR compliance. According to a study by PossibleNOW, a provider of consumer regulatory compliance and consent solutions, only 27% of U.S. companies are GDPR compliant. Some businesses continue to take the wait and see attitude. Since GDPR is an EU regulation these organizations are waiting to see how the regulation will be applied before they invest in a GDPR strategy. Other organizations have commented that GDPR is well intentioned and has created privacy awareness, but is difficult to interpret which makes it very challenging to implement. In fact, some organizations would say full GDPR compliance is unattainable. Yes, the GDPR regulation is very complex, difficult to understand and ambiguous. The GDPR regulation is a legal document that includes 88 pages, 11 Chapters, 99 Articles and 173 recitals. Additionally, the EU is a group of 28 countries. Each country has their own data protection authorities. Germany alone has 19 data protection authorities. And all of them are interpreting GDPR in their own way.
Companies have found GDPR is very costly to implement. This was anticipated before GDPR went into effect. In 2018, The International Association of Privacy Professional (IAPP) estimates that to do business in the EU today, the average firm of 500 employees must spend about $3 million to comply with the GDPR. And in 2017 the IAPP indicated that Fortune 500 firms budgeted an estimated $8 billion to become GDPR compliant.
Has the EU Supervisory Authority Issued Many Fines?
As of March 2019, the European data protection agencies have reported over 200,000 cases. Approximately 80% of the cases were related to data breaches (65,000) reported by data controllers and 95,000 were complaints. Since the May 25, 2018 enforcement date fines totaling €56 million have been assessed. This sounds significant, but this includes the €50 million fine for Google. It appears the EU supervisory authorities are focused on finalizing their review guidelines and methodology and will use the remainder of 2019 to have consultative discussions with businesses and offer recommendations and guidance to assist businesses to move towards GDPR compliance.
Data protection and privacy aren’t going away. Love it or hate it, GDPR created a framework to standardize personal data protection. As time goes on, consumers will want more control of the personal information that companies collect from them. Businesses will need to demonstrate they can protect their customers’ data. It’s imperative that your organization takes privacy seriously. Business that don’t implement data protection controls will quickly fall behind the curve and over time will lose market share. In the end, people work with people they trust.
Are you having challenges implementing GDPR? Crayon has the GDPR services that can assist you to work towards GDPR compliance.
Contact your Crayon Account Manager or contact at firstname.lastname@example.org.