It’s been nearly one year since the GDPR came into force. This article discusses where things stand, how GDPR compliant organizations are, what are the reactions and what are the fines.
The GDPR (General Data Protection Regulations) was brought into force on May 25, 2018. The twin objectives of the GDPR were:
- return to data subjects the rights of their personally identifiable data, including the right to be forgotten, and
- bring a uniformity in the different data protection laws of European Union (EU) member countries
The GDPR: An Overview
The GDPR applies to all organizations that operate within the EU. That includes organizations that were founded within the EU or have a business unit located in the EU as well.
But that’s not all.
The GDPR also applies to any organization based or headquartered anywhere in the world if offers its good or services for sell to EU residents. It also applies, without any changes, to organizations that collect information of EU residents.
Organizations were expected to turn GDPR compliant by the due date May 25, 2018.
Non-compliance would lead to fines as heavy as €20 million.
Where the GDPR stands today
It’s important as well as interesting to see how effective the 1 year of GDPR has been and where do organizations stand when it comes to GDPR compliance.
The official GDPR statement
The European Commission has come out with a statement and some interesting numbers. Here’s a summary:
- EU countries must adapt their national legislation to include GDPR. Five countries (Bulgaria, Czechia, Greece, Portugal and Slovenia) haven’t yet done or their processes are yet insufficient.
- A total of 95,180 complaints to Data Protection Authorities (DPAs) have been received till the time the statement was prepared and released.
- Till the time the statement was released, only three incidents attracted fines. While two fines were no more than Euro 20,000 each, the third fine was a huge Euro 50 million that was slapped on Google.
- Tele-marketing, Promotional email and Video surveillance are the three activities that have attracted the maximum number of complaints.
Before we discuss which company was fined how much, let’s make one thing clear: non-compliance doesn’t always attract fines. Regulatory bodies have the discretion to simply issue warning to the erring company and let them off the hook of the issue isn’t serious.
First action under the GDPR
In the first year of GDPR, the first company to receive enforcement notice under the GDPR was a Canadian data analytics organization Aggregate IQ (AIQ).
On October 4, 2018, the UK Information Commissioner’s Office (ICO) has issued an Enforcement Notice against AIQ for having allegedly come up with pro-Brexit campaigns while processing data that was incompatible with the GDPR guidelines.
This notice is of interest for a number of reasons. Here are some of them:
- AIQ has the dubious distinction of being the first company to have received a notice under the GDPR.
- The allegation is that the data was processed for purpose that was significantly different from the purpose for which it was collected.
- While the data was processed for reasons different from the reasons with it was collected, there was no lawful basis to do so.
- The data under question was collected before the date of GDPR coming into force, i.e. May 25, 2018.
- Apart from having violated the principle of processing data for a different purpose, the UK ICO says AIQ did not tell data subjects their data had been shared by a third party.
- AIQ is alleged of having violated Articles 5, 6 and 14 of the GDPR.
- Article 5 and 6 deal with lawfulness of data processing, while Article 14 lays down rules cases when data is collected from sources other than the data subjects.
The significance of the first GDPR notice
You couldn’t have missed the specific Articles under which AIQ was found to have allegedly broken the law.
Note that it isn’t data breach. It’s about the difference between the intents of data collection and data usage.
Firstly, it’s about transparency, since AIQ is alleged to have not told data subjects that their personal data was being shared by a third party.
Secondly, it’s about having given enough time to the organizations to mend their affairs. AIQ had apparently collected the data before GDPR came into force; for some reasons they chose not to turn GDPR compliant.
Thirdly, it points towards the GDPR and related authorities mean business. As pointed out earlier, this wasn’t a case of data breach and yet the ICO swung into action.
Finally, it was a strict warning for those who obtain from third-party sources. Even if you obtain your data from third-party, it’s going to be your responsibility to ensure compliance for GDPR.
What this survey says
A survey conducted by ThirdSector brought out some unusual insights on how the GDPR impacted charities. Of the 176 charity workers surveyed, the following were the chief findings:
- For nearly one out of every five respondents (18%), the number of people contactable over email dropped by half.
- A little over half (53%) of those surveyed saw their database reduce in size to some extent. They attributed this reduction in size of database as a result of GDPR compliance.
- One in every five respondents (20%) believed their telephonic contact list had shrunk.
Sounds too bad? Well, there’s the other side of the story as well.
- Seven out of every ten respondents (70%) agreed that the enforcement of the GDPR actually improved their organization’s data protection processes.
- Over half (53%) of the respondents said regulations as the GDPR helped them build and improve trust in the charity sector.
Here’s an infographic on the status of GDPR a year after was enforced:
If there’s one thing that the GDPR can be said to have brought, it’s awareness. Organizations, charities, individuals… every entity has at least realized the kind of importance data deserves.
To begin with, organizations have become a great deal more conscious while handling data. While many activities directed towards GDPR compliance haven’t bore fruits, the organization’s efforts at least need acknowledgement.
Next, the way Britain’s ICO has cracked its whip makes it amply clear the GDPR is not going to implemented lightly.
Finally, for some unknown reason, compliance remains a challenge despite the fact the enough time was allotted to turn compliant.
Experts have criticized the GDPR isn’t fully clear about a number of issues. The GDPR, on the other hand, feels enough advance time was given and hence erring companies should be fined and taken action against.
To the extent the GDPR places the rights of data back in the hands of the data subjects is one of the brightest features of the GDPR. The earlier companies become compliant the better it is for data privacy.