The status of GDPR 10 months after the introduction on 25 May 2018.
During the introduction days of GDPR, the search for GDPR via Google outranked the search of Beyoncé.
But that was in May 2018, and a lot has happened since. As expected Beyoncé bounced back and is more popular again then EU rules, manifests and business penalties, or should we say that GDPR has quickly faded away to the background from a news point of view. I would like to share some views and facts on the status of GDPR roughly 10 months after it's introduction.
Since the introduction of GDPR on 25th May 2018 we can conclude a few things.
- marketeers and sales hate it, as it imposes quite a few hurdles to "reach out and sell".
- the number of spray paint marketing emails has significantly dropped.
- the number of unsolicited cold calls has significantly dropped.
That was part of the GDPR intentions of the ruling in the first place, to protect the privacy right of individuals, so at least that part really shows GDPR in effect.
The entire legislation around it, remains complex, is not always very clear, but we can state with a fair degree of confidence, it made people much more aware and cautious. Perhaps that is the biggest win of all, making people/organisations aware that privacy matters, that your data = your data, and that anybody carrying YOUR DATA, better understand fully where, how, when, why and how much.
Looking at the number of reported complaints at the EU data protection authorities, we are almost at the mark of 100.000 filings.
That number in itself is not massive, but it does represent a massive (and really underestimated) amount of workload for employees, DPO's, resulting in loss of productivity, distraction from their core business, additional communication with the authorities, possibly involvement of lawyers and extra unforeseen costs.
The penalty that recently has hit the news is staggering, the media reported a case in France against Google of 50 million EUR. Google can't be too happy with the EU watchdog and courts as the total of fines have now accumulated to 8.2 billion EUR all-in-all.
What does not make the major news and headlines are the smaller fines that are handed out, the sports betting cafe for unlawful video surveillance, the social networking platform for not securing the users data. It starts to add up, the fines were small in the beginning but the numbers are on the rise. Starting with 5k EUR, 22kEUR, 400kEUR, recently moving up to millions. The smooth introduction or on-boarding period seems over.
Our analysis of EU publications show that the Netherlands was found to have reported the most breaches (15,400), followed by Germany (12,600), and the UK (10,600). The countries with the fewest reported breaches were Cyprus (35), Iceland (25), and Liechtenstein (15).
GDPR requires data controllers to report breaches within 72 hours of discovery. Once an individual contacts you around data privacy you have 30 days to satisfy the request, what data do you carry of that individual (and prove it and deliver it), explain why you have that data, erase it upon request. That is all fine and good after you have done all your data classification work, process description. In smaller more silo'ed applications is is much easier than for example in ERP systems like SAP®.
Avoid penalties? Ability to react within the 30 days? What can you with regards to GDPR in SAP®?
https://www.agilesi.net/gdpr - Read what we do to help you.
Pictures©: The European Data Protection Board