GDPR, or General Data Protection Regulation, was enforced beginning May 25, 2018. Since then, European data protection authorities have reported that they have received nearly 90,000 individual data breach notifications. It is important to add that this number only includes organizations that are trying to comply with the GDPR enforcement. Likewise, the European data protection authorities have confirmed that during this same time-period, complaints and questions were reported by nearly 145,000 concerned citizens.
While a number of reports have been published, European data protection authorities are not being transparent about the collection of fines thus far as a result of GDPR. A few third-party investigations have been led to believe that, at minimum, more than 100 organizations had to pay fines for not complying with GDPR.
Google was fined 50 million euros earlier this year by French authorities and is appealing. The corporate giant was accused of collecting personal data without providing enough transparency to its users about data usage. Specifically, the data was utilized to personalize ads to users while on its platform.
>>GDPR specifically requires organizations to obtain consent to use personal data and this includes every specific use of the data. A “blanket” consent is not permitted.
The Purpose of GDPR
Last Spring, GDPR replaced the Data Protection Directive 95/46/ec. It was agreed upon as the primary law, by European Parliament and Council, to regulate how companies protect the personal data of the European Union citizens.
- Data processing that requires the consent of the subject
- Protecting privacy by making collected data anonymous
- Data breach notifications that are provided
- Transferring data across borders must be done so safely
- Some organizations are required to appoint a Data Protection Officer with the responsibility of overseeing compliance of GDPR
There are six privacy principles to GDPR:
- Purpose limitations
- Data minimization
- Storage limitations
- Integrity and confidentiality
- Lawfulness, fairness and transparency
How GDPR Affects Your Business
It doesn’t matter where you are located. If your business markets goods or services to EU residents, then your business is subject to GDPR regulation and it could be fined for not complying. If your business collects any of the regulated data from European users, you are also liable to comply with GDPR.
American websites that do comply with GDPR can have their European access removed. For example, a number of large US publications such as the LA Times and Chicago Tribune were temporarily blocked for not complying.
Will Regulations Be Implemented in the US Similar to GDPR?
American data privacy has caught the attention of the public eye with increased political scrutiny. While there is not federal data privacy legislation currently, there has been much discussion regarding this topic. Most notably, the recent congressional hearings that took place with Facebook founder Mark Zuckerberg was prominent in the media.
As a result of GDPR, an Ovum report says that approximately two-thirds of US companies could be rethinking their strategy in Europe. US businesses are anticipating an increase in US data privacy regulations, which means that it is about time to implement better data protection measures across their organization.
Be Aware and Prepared for GDPR Compliance
Large enterprises and small businesses alike must have procedures and operations currently in place to comply with GDPR – or risk debilitating fines and/or loss of customer access.
Even if your business is compliant, changes can take place over time, so it is important to stay informed of recent developments.
In short: the sooner and better you understand GDPR and your data privacy risks, and put policies into place, the more confident you can be about your company’s ability to compete moving forward … and the more trust your customers and clients can put into your business.