The European Union implemented its much-anticipated General Data Protection Regulation (GDPR) on May 25, 2018. Fear of huge fines loomed as companies scrambled to get their processes in order to comply with the new regulation. To date, European data protection authorities confirm that almost 90,000 separate data breach notifications have been received. Out of these, at least 100 organizations have paid fines for failing to fully comply with the regulation.1

Year One Reflections:

GDPR is real, enforceable, and applies to every business collecting, storing, and processing sensitive personal data. The sum of GDPR fines one year into its enforcement amount to approximately €56,000,000, according to the IAPP.2 The following infographic gives us a fair understanding of GDPR's first year in numbers.

Source: GDPR enforcement in numbers (infographic by IAPP)

The fines enforced in the list given below goes to show that compliance is not optional.

December 2018: A Portuguese hospital was fined 400,000 euros for allowing its staff to use bogus accounts to access patient records. According to the investigation, the hospital had 985 registered doctor profiles while only 296 were registered. Though the motive for the violation seemed to be a matter of convenience and lacked any malicious intent, the authorities still ruled that it was willful and blatant.3

January 2019: Google was fined 50 million euros by French authorities for collecting personal data from users, without providing an adequate level of transparency on how that data would be used to personalize advertisements on the platform. Under the provisions of the GDPR, organizations must obtain valid consent to collect personal data and to consume it in a number of ways—no blanket consents are allowed.4

March 2019: A taxi company in Denmark was fined 1.2 million kroner, for storing over nine million records of redundant personal contact information on its information technology systems. The information should have been deleted once it was no longer required to conduct regular business activities, as described by the GDPR, which the company failed to comply.5

March 2019: A Polish data processing company, was fined 220,000 euros for scraping the internet for publicly available personal data and then using that data to contact over 90,000 individuals for promotional purposes. A clear and blatant violation of the GDPR, some 12,000 of the contacted individuals complained about the activity.6

So far, the GDPR hammer hasn’t come down to the extent that many expected it to, in the first year of its implementation. While the total number of fines may seem low, it is likely that this is not a true representation of those that have actually been fined. There is a good chance that we will start to see the full power of regulators as they sieve their way through the list of pending and future breach notifications.

Impact Around the Globe

The global conversation around privacy has shifted since the introduction of GDPR and countries are taking cues by modifying their own privacy laws. Brazil, Japan and South Korea have planned to change their privacy laws since the introduction of GDPR. The new California Consumer Privacy Act (CCPA), effective Jan 1 2020, is partly inspired by the GDPR. India is equally considering its own law based on GDPR.  

Kalinda Raina, head of global privacy at LinkedIn, recently called this ripple effect as “GDPRization of laws across the world”

What it means to Businesses?

It is incredibly important that businesses are able to identify and mitigate real threats as soon as they appear. The volume of data generated today, is simply too high and it is virtually impossible for IT teams to manually monitor and keep track of hacker activities. Managing sensitive data is a struggle for most tech companies. It is the most common target for cybercriminals and usually the primary driver for information governance, data compliance and security programs.

Knowing where sensitive data is located and properly governing it with policy rules and impact analysis is critical for compliance, audits and risk management. Kogni, the world’s leading data privacy and security product, helps solve all of these issues with tools that enable companies to discover sensitive data in enterprise data sources, secure data as it is ingested, and continuously monitor data sources for possible breach and policy violations. Kogni, with automatic sensitive data discovery, is uniquely positioned to help enterprises adhere to GDPR within an accelerated time frame.

Conclusion

The first year gave businesses an extension to understand GDPR better for themselves, how it actually relates to them and to learn exactly what they need to do to become compliant. GDPR is expected to have some tweaks to adapt to the rapidly changing data landscape. Sanctions are expected to become much tougher going forward. We can expect more fines and heftier fines to be handed out as regulators clear the backlog of data breach notifications and as new regulations come into effect. The long-term goal, of course, is prevention, which will require organizations to appraise their architecture and overall security posture and build robust solutions to defend their data and brand reputation. The GDPR does have its issues, yet it has unquestionably helped raise awareness around privacy legislation, not just within EU borders but worldwide.

When it comes to protecting data, organizations need to view it as an established component of their security and privacy program. Complacency is no longer an option and it is time to take heed of all aspects of one’s data handling processes. Organizations struggling to address the myriad security and privacy regulations around data should look no further. When it comes to selecting a solution that helps you navigate the complex data security and privacy regulation landscape, Kogni is your best bet.

For a comprehensive security product with already built-in solutions around GDPR and other data security and privacy regulations, write to contact@kogni.io or visit kogni.io

References

Palmer D, (May 2019), Where GDPR goes next: How digital privacy is taking over the world https://www.zdnet.com/article/where-gdpr-goes-next-how-digital-privacy-is-taking-over-the-world/

Armerding T, (Feb 2019), GDPR: Not Heavy Handed Yet, But Driving Data Breaches Into The Open https://www.forbes.com/sites/taylorarmerding/2019/02/13/gdpr-not-heavy-handed-yet-but-driving-data-breaches-into-the-open/#5aaf5a075203

1Infographic: The European Data Protection Board, (May 2019) https://ec.europa.eu/commission/sites/beta-political/files/infographic-gdpr_in_numbers_1.pdf

2Infographic: IAPP GDPR One Year Anniversary, (May 2019) https://iapp.org/resources/article/gdpr-one-year-anniversary-infographic/

3Montiero A, (Jan 2019), First GDPR fine in Portugal issued against hospital for three violations https://iapp.org/news/a/first-gdpr-fine-in-portugal-issued-against-hospital-for-three-violations/

4Doty D, (Jan 2019), J'Accuse: French Regulatory Body Hits Hard In Its First GDPR Fine https://www.forbes.com/sites/daviddoty/2019/01/28/jaccuse-french-regulatory-body-hits-hard-in-its-first-gdpr-fine/#f52563077136

5Hoy M, (March 2019), Denmark Recommends First Fine Under New EU Privacy Law https://news.bloomberglaw.com/privacy-and-data-security/denmark-recommends-first-fine-under-new-eu-privacy-law

6Lomas N, (March 2019), Covert data-scraping on watch as EU DPA lays down ‘radical’ GDPR red-line https://techcrunch.com/2019/03/30/covert-data-scraping-on-watch-as-eu-dpa-lays-down-radical-gdpr-red-line/