The application of the General Data Protection Regulation (GDPR) across the EU on May 25, 2018, was a landmark occasion – with the legislation replacing often disjointed and outdated data protection rules across Europe with a coordinated one designed for the modern digital age.
Reflecting on its first five years of existence, at a minimum, the legislation has raised public awareness around data protection and privacy issues, enabling the public to take these issues into account in their consumer choices.
The enforcement powers prescribed also give the rules significant teeth – with regulators allowed to fine non-compliant organizations up to €20m or 4% of their annual global turnover, whichever is higher.
As the GDPR reaches its fifth anniversary, here are four key trends for businesses and regulators to be aware of with regards to the regulation over the coming months and years.
Continued Escalation of Fines and Penalties
In the first three years of the GDPR’s existence, regulators took a relatively light touch approach to enforcement. From July 2018, when the first ever GDPR fine was issued, through to June 2021, there were a total of 713 fines levied, at a cumulative value of around €294.5m ($359.7m).
However, the €746m ($877m) fine issued against Amazon in July 2021 for data processing violations sparked a wave of massive fines being levied against large tech companies. For example, an analysis by law firm DLA Piper found that over €1bn ($1.1bn) fines were issued in 2021, an enormous 594% year-on-year increase from 2020.
Recently, in May 2023, a record €1.2bn ($1.3m) was issued under the GDPR to Facebook’s owner Meta for transferring personal data between the EU and US illegally.
The trend is only going in one direction – regulators are taking an increasingly tough line on violations of the rules.
Gary Lynam, director of ERM advisory at Protecht noted that most fines issued to date relate to data processing violations rather than security breaches. This shows how the volume and complexity of information being collected has made it harder to stay compliant with GDPR rules.
“With the likes of TikTok, British Airways and Ticketmaster being among the prominent names to have received fines, GDPR is clearly by no means a simple tick box process,” he commented.
As a result, experts have emphasized the importance of organizations enhancing and modernizing their governance, risk and compliance (GRC) approaches.
Hubert Da Costa, Chief Revenue Officer, Celerway, said: “As we mark the fifth anniversary of the GDPR, companies should take stock and consider much more broadly how their organization is approaching data security.”
Impact of New Technology
GDPR provisions must be continually reviewed and assessed to ensure they are up to date with new technologies like advanced AI. Jakub Lewandowski, global data governance officer at Commvault, has been impressed with the regulation’s resiliency so far in the face of such advancements.
“Despite all the technological developments within the last five years – facial recognition, virtual reality and AI, to name just a few – GDPR has stood the test of time,” he outlined.
“As we mark the fifth anniversary of the GDPR, companies should take stock and consider much more broadly how their organization is approaching data security"
Nevertheless, the recent development of generative AI, placed into the spotlight by the launch of ChatGPT, poses new data privacy challenges. This includes issues around how data is gathered to train these models.
Ensuring data protection rules evolve to meet these challenges while not being a roadblock to innovation is going to be vital in the coming years. Helena Nimmo, CIO at Endava, commented: “We're on the cusp of a new era of technology and businesses and regulators have the difficult task of striking the right balance between privacy and innovation, working towards a middle ground that allows both to exist in harmony.”
Lewandowski is confident that regulators and organizations will successfully come through this challenge. “Luckily, the experience that privacy professionals gained through building and implementing GDPR frameworks will be a great starting place when the time comes to undertake a similar process with AI,” he said.
Maintaining Reporting of Breaches
The GDPR has significantly raised the potential costs of data breaches for organizations. This is firstly regarding fines issued by regulators for failing to protect customers’ data properly, demonstrated by the €265m ($275m) penalty levied on Meta in November 2022 as a result of a large-scale data breach that was uncovered in 2021.
This was after Ireland’s Data Protection Commissioner concluded that Meta had failed to comply with Article 25 of GDPR relating to the obligation for Data Protection by Design and Default.
In addition, growing consumer awareness of the seriousness of data breaches following the initiation of GDPR can cause additional brand damage for breached organizations, and in some cases, are leading to class action lawsuits.
Such a lawsuit was brought against BA after it was eventually fined £20m by the UK’s Information Commissioners Office (ICO) following a large scale data breach of customer data in 2018. The airline then agreed to pay thousands of victims compensation to settle the claim.
These severe consequences aim to encourage organizations to improve their data security posture, however, Richard Starnes, cyber security strategy director, Six Degrees, outlined fears that it could also be leading to businesses covering up incidents. He noted that there is a general downward trend in data breach incidents being reported to the ICO in the UK since GDPR came into force in May 2018.
“This can have the consequence of causing companies to raise their data protection capabilities, but there is also an incentive to report breaches less frequently or at all. Let us not forget the recent case of the former chief Security Officer (CSO) of Uber who was convicted of US Federal charges for covering up a data breach involving millions of user records,” he commented.
It is vital that regulators are aware of this potential issue, and work closely with organizations to ensure all data breach incidents are reported appropriately.
Impact of New UK Data Privacy Law
Following the UK’s departure from the EU, the government has drafted new legislation designed to update the data protection rules governing the country, diverging from the GDPR in several ways.
This includes moving to a ‘risk-based’ model of compliance and updating rules relating to research and AI.
Some believe these proposals would have a positive impact, by reducing costs and burdens on businesses and helping to unlock innovation without infringing on individual data privacy.
Vicky Withey, head of compliance at Node4, commented: “As the [UK] government now has the opportunity to tailor legislation that is focused within specific market sectors, potential reforms can help organizations to achieve their goals where GDPR has been too restrictive, preventing growth and prosperity.”
However, others have argued the Data Protection and Digital Information (DPDI) Bill will add to burdens on businesses, particularly those operating in both the UK and EU who will have to comply with two regulatory regimes. Additionally, there are concerns that the current UK-EU adequacy arrangement, allowing the free flow of data between the two regions, could be in danger as a result of the new law, further impacting businesses.
It is important that organizations get ahead and prepare for these changes and potential impacts.
Alev Viggio, director of compliance, at Drata, outlined: “With the new UK GDPR update in effect, and new emerging technologies, companies must take proactive measures to ensure compliance or face the consequences of non-compliance.”
In a survey published on May 23, 2023, Macro 4 found that two-thirds (66%) of IT leaders believe GDPR has made consumers less trusting of organizations.