REUTERS/Hazir Reka
When the General Data Protection Regulation (GDPR) went into effect, it brought with it a great deal of uncertainty. While the 261 pages GDPR contained plentiful details, there was no way of knowing what impact it would have on organisations. Any organisation processing or holding data of European Union (EU) residents must follow GDPR and there were no precedents for evaluating what events would trigger enforcement or how sanctions would be levied.
With fines of up to €10 million or two percent of a company’s global revenues for a first offense, and double that for a second offense—clearly the stakes are high.
The European Commission reported that as of January 2019—95,180 complaints of alleged violations of GDPR had been filed with data privacy authorities in Europe. The most common complaints involved telemarketing, promotional emails, and use of closed-circuit television (CCTV) or video surveillance. In the first year of GDPR’s application, 281,088 cases were logged by supervisory authorities. Of these cases, complaints accounted for 144,376 and there were 89,271 data breach notifications by data controllers.
France’s data privacy enforcement agency, Commission nationale de l’informatique et des libertés (CNIL) has applied a €50 million fine on Google for GDPR violations, citing “lack of transparency, inadequate information and lack of valid consent regarding personalisation” of ads delivered to consumers. In addition, a €20,000 fine was assessed against a German social network operator for failing to secure users’ data, as well as a €5,280 fine against an Austrian sports betting café for unlawful video surveillance. In June 2019, the telecoms company EE Limited was fined £100,000 for sending over 2.5 million direct marketing messages to its customers by text.
To date, the two most significant fines levied have been British Airways for £183m by the Information Commissioner’s Office (ICO), in the UK, for not protecting customer data, and a £99m fine by the ICO on Marriott for not protecting guest data.
The supervising authorities of the EU have announced to issue or have issued fines totaling approximately €372,120,990.50, as of September 2019.
Despite a two-year grace period between passage in 2016 and implementation in 2018, which was intended to give organisations ample time to prepare, our survey has found that one year after GDPR went into effect, companies are still struggling to meet its requirements. More companies are either failing to meet regulatory requirements or having trouble keeping up. A massive 79 percent of companies surveyed post-GDPR say that they are either failing to meet regulatory requirements, having trouble keeping up to date, or both.
The survey
Thomson Reuters surveyed data privacy professionals at global organisations in nine countries. The companies surveyed have average global revenues of US $282 million dollars and an average of 16,400 employees.
The surveys found that global companies’ struggles with data privacy laws and regulations around the world have increased in several ways since GDPR took effect:
- More companies are failing to meet global data privacy regulations
- Many companies have found GDPR compliance more difficult than expected
- Half of companies are at risk of falling further behind
- An increasing number of companies have now been subject to enforcement actions
- Companies are becoming less open and pro-active with consumers
- Board and c-suite concern and engagement on data privacy issues is falling
- GDPR is now consuming a greater proportion of data privacy budgets
Download your copy of GDPR REPORT: Business’ struggle with data privacy—Regulatory environment continues to evolve rapidly here.
Companies already report spending an average of US $1.32 million in 2018 on data protection issues, including employees, software, and third-party resources. UK companies reported the highest proportion of their budgets being consumed by GDPR at 43 percent. Spending by companies on privacy related matters have increased in Canada, Australia, New Zealand and France. Most companies anticipate increased privacy related costs in the future.
Horizon scanning
The outlook doesn’t indicate a reduction in privacy matters. With more data privacy laws and regulations coming into effect over the next few years in other countries, including the United States (U.S.), India, and China, the challenges facing businesses are mounting.
With over a year of experience dealing with GDPR under their belts, companies are now having to turn their attention to a growing number of new data privacy regulations taking effect worldwide. Several countries passed new data privacy laws in 2018—many modeled after GDPR—including Brazil, Bahrain, and Israel. Other countries are in process of implementing new data privacy regulations, such as China and India. Recently, several other Latin American countries have announced a series of legislative proposals to update their respective data protection regulations—to include: Argentina, Chile and Columbia. One Latin American country, Uruguay, has data privacy laws that already account for some aspects of GDPR requirements.
GDPR clearly had a major impact on global organisations’ ability to meet their data privacy regulatory requirements. Many companies are having difficulty meeting those requirements and are in danger of falling even further behind. While the cost of compliance generally did not rise following GDPR taking effect, further cost increases are expected, and many companies still lack vital tools for tracking and meeting the increasingly expanding global regulatory framework they are facing. Data privacy regulations around the world continue to proliferate at a rapid pace. And if the GDPR implementation provides any lessons, it appears to be that organisations are finding themselves increasingly challenged to meet these growing requirements.
Download your copy of GDPR REPORT: Business’ struggle with data privacy—Regulatory environment continues to evolve rapidly here.