Key Observations since GDPR Enforcement

May 28, 2019 Michael Melhem

Giant strides have been made in privacy rights and regulations in Europe and many parts of the globe ever since the General Data Protection Regulation (GDPR) became enforceable on May 25th, 2018. In a world with serious impediments to my privacy and yours, the GDPR, to varying degrees of success, has been slowly leveling the field in how personal data is treated; rest assured, it’s a lot more than the privacy e-mail updates you’ve been receiving and the website cookie banners you’ve been accepting. In layman’s terms, the GDPR mandates requirements for storing, processing, accessing, and protecting personal data. We’ve all heard it – failure to comply with the Regulation attracts staggering fines of up to 4% annual global turnover of the prior financial year, or €20 million, whichever is higher. Despite the laundry list of concerns surrounding the Regulation, there has been reasonable progress since the enforcement date. Here are some notable observations since the inception of GDPR that you should know:

 

Creating Greater Awareness on Data Handling

The GDPR implementation date has undeniably created greater awareness of best practices for handling personal data among businesses and organizations. The fear of being fined has forced businesses to gain a basic understanding of the GDPR, consequently gaining an understanding of how to handle and manage personal data. However, it is not only organizations in the European Union that have become more aware of how to handle personal data, as non-EU organizations are equally subject to fines if data belonging to EU data subjects is compromised, mishandled, used without the individual’s consent, not properly secured, or inappropriately disclosed as a result of non-compliance. Global companies have seen the writing on the wall and the imminent need to become compliant as well. As a result, this has set the stage for a global upheaval and shifting in organizations’ behaviors when handling personal data. Furthermore, this has encouraged other nations and some US states to think about implementing privacy laws and regulations like the GDPR, but with some differences.

 

Complaints and Penalties Recorded so Far

Since the May 25th enforcement date, concerned data subjects have filed thousands of complaints with the EU Member State Data Protection Authorities, requesting investigations into the data handling practices of many organizations. As of December 2018, complaint totals were in the tens of thousands, including 8,000 in the United Kingdom, 6,000 in France, 4,600 in Germany, and 3,500 in Ireland. In addition, the GDPR allows data subjects who are in the EU to file class action lawsuits against organizations. For example, seven GDPR complaints have been filed against Google over user location tracking. GDPR complaints have already resulted in fines, Google the most well-known among them.

 

Fines and Penalties Issued

Aside from the aforementioned complaints, there are a few more warning signs indicating upcoming problems for the giant tech organizations under the GDPR. GDPR complaints have resulted in some leading companies being penalized, beginning with Google when the French Data Protection Authority, CNIL, issued it a fine of $57 million (€50 million). While giving this penalty, CNIL claimed that Google was not complying with the GDPR when new users followed Android’s onboarding process for setting up a new phone. Additionally, CNIL concluded that Google’s transparency and consent policies failed to comply with the GDPR. Other organizations under scrutiny include Facebook, which was issued a £500,000 ($645,000) fine for not preventing misuse of personal information. The incident led to Cambridge Analytica accessing the user data of hundreds of thousands of Facebook accounts and ultimately utilizing this information for political reasons. Although the GDPR wasn’t yet active at the time of this incident and the maximum penalty limit was fairly low, this violation would have resulted in much higher penalties under the GDPR’s new fine structure.

 

GDPR Went Mainstream: Privacy Notice Updates and Consent Banners

As a result of the GDPR’s updated accountability and transparency requirements, endless emails pertaining to privacy notice updates crammed consumers’ inboxes, demonstrating that the Regulation had officially penetrated mainstream public awareness. While most users casually skimmed the notices’ contents, these updates detailed key provisions for certain data subjects – mainly, offering increased control over how their data should be used and identifying the legal grounds for processing their data. At the same time, data subjects likely saw an increase in the volume of cookie consent banners on their favorite websites, coupled with increased requests for consent to continue direct marketing through targeted online ads and email campaigns. The GDPR’s redefinition of personal data to potentially include IP addresses had a significant impact on the viability of cookies to track users’ online browsing behavior.

 

Non-EU Companies Block EU Website Traffic

The idea of a company in perfect compliance with the GDPR is still far-fetched to most. With that in mind, the implementation of the GDPR has caused some non-EU websites to block users in the EU from accessing their services by the geographic location of their IP addresses. Since the Regulation stipulates that the site owner is the data controller responsible for protecting user data, these sites have resorted to blocking EU users in order to avoid having to comply with the Regulation, thus avoiding enforcement and potential fines.

 

Overall Tightening of Data Security

There’s no denying it: due to several regulatory requirements, organizations have evolved enormously in tightening their security mechanisms and will need to continue to apply appropriate levels of effort and best practices to protect user data and remain on the path of compliance. In a nutshell, the GDPR holds an organization responsible for any breach of personal information in its data processing environment. Moreover, Article 32 of the Regulation requires organizations to implement security systems that provide reasonable assurance of data confidentiality, availability, and integrity. They are also required to utilize mechanisms for recovering and restoring information in the event a breach leads to data loss. All organizations are further required to use effective security processes to evaluate the general security of their systems. Regulatory security requirements such as these have resulted in most organizations implementing tighter cyber security measures.

 

The GDPR as a Global Standard

It is probably fair to say that the GDPR has become a global standard for personal data protection, and there is no denying that organizations are facing an uphill battle to comply with the strict requirements. As the Regulation is meant to protect the privacy of all EU data subject information, it needs to be made crystal clear that the GDPR’s applicability is global whenever an EU data subject’s personal information is involved in some processing activity. The fines against Google are clear indications that the GDPR goes beyond geographic boundaries in protecting and securing personal data and is slowly establishing itself as a global security standard.

There is nothing new about people wanting their privacy protected. With the advent of “big data” through data mining in business intelligence and artificial intelligence (AI), the rise in cybercrime and leaking of personal data, and selling of user data among companies, a digital battlefield without borders has been created, where power-grabbing corporations and the European Union go head-to-head. For that reason, the GDPR is here to stay and the recent fines are just the tip of the iceberg when looking ahead at the new privacy paradigm.

About the Author

Michael Melhem

Michael Melhem is a manager with Schellman & Company, LLC. At Schellman, Michael leads and supports a variety of IT attestation, audit and compliance examinations for organizations across many industries. Prior to joining Schellman & Company, LLC, Michael worked as a Senior Consultant for Deloitte’s Technology Risk practice. At Deloitte, he focused primarily on executing and managing Service Organization Control (SOC) examinations, IT security & privacy assessments, Sarbanes-Oxley (SOX) consulting, and led a variety of cybersecurity assessments. Michael maintains multiple certifications, including CISSP, CISM, CISA, ISO 27001 Lead Auditor, and CCSK.

More Content by Michael Melhem
Previous Article
Schellman Approved to Provide APEC Certification as an Accountability Agent
Schellman Approved to Provide APEC Certification as an Accountability Agent

Schellman adds APEC Certification to its suite of compliance services. Recently, the Asia-Pacif...

Next Article
Data Privacy is in the Spotlight as Colorado Enacts Landmark Consumer Data Privacy Bill (PCDP)
Data Privacy is in the Spotlight as Colorado Enacts Landmark Consumer Data Privacy Bill (PCDP)

Introduction— by Lindsey Ullian, Threat Stack Compliance ManagerColorado has rightfully gained a...

Current or aspiring Microsoft vendor?

We're now providing assessments for the Microsoft SSPA Program Attestation

Learn More