In 2018, the European Union, trying its best to control and protect personal data on the Internet, came up with the General Data Protection Regulation (GDPR)
This regulation affects only the European Union so that any brand that wants to do business and handles personal data has to keep in check with it.
Regulators on top speed.
The regulation has been in real effect for little more than 8 months, and it has become a true challenge for both regulators, brands and their lawyers.
The biggest problem is that the law describes a threshold of 72 hours to report a data breach; if the time lapses and you haven’t reported it, the sanctions could be worse than the breach.
So, many brands are desperate to report breaches new and old, leading to a giant backlog of reports for regulators who are already working on top capacity.
The good news is that most breaches have been reported all over Europe. Even companies like Google are appealing right now with fines that can get up to $57 million USD.
The bad news is that barely 91 fines have concluded successfully, these numbers don’t even constitute 1% of the reported breaches and most of them are around the $20,000 Euros.
It’s reported that these 8 months have been like a grace period for companies to completely understand the rules and to fully adopt the new regulations. However, it’s expected that starting this month, sanctions will get tighter and companies should pay even more attention.
Lessons learned from GDPR’s first fines
Many things have happened since the GDPR began to work.
The first thing we can see is that there is some consideration for valuable efforts to uphold the law. Like, for example, an unnamed German company recently reported a breach of sensitive data for 330,000 users
The company was facing a fine of $10 million Euros or 2% of its total annual turnover. However, regulators decided to lower the fine to 20,000 Euros for reporting the breach and demonstrating their efforts to uphold the GDPR
Also, there have been many cases where the violations have come from very basic things. There are appeals today for security cameras in public places, bad practices in data handling in hospitals, and many more.
Regulators have asked that companies double-check things like: basic encryption, access control and notification of CCTV.
Next comes client treatment. This year Google faced a fine of 50 million Euros for missing the most fundamental thing: transparency.
The GDPR is very clear about it: first, we must inform the client of absolutely every step that requires personal data and every agreement contract must be very clear and specific.
So, Google got this specific fine (remember, it’s not the only one) after missing to describe proper personal data handling and for having vague terms of agreement.
Then? what’s the verdict?
Until today, the European regulation has proven to be beneficial for both the market and the users. The simple fact that companies are working hard to stay within the GDPR rules tells us that it is actually working
However, many claim that the Internet is a place of much experimentation and the more the government is allowed to regulate it, the more limited it will become, leaving us without the freedom of choice we have enjoyed in it so far.
The law is barely touching the ground at the moment on communication companies. Only time will tell if the next 8 months keep them happy and friendly or lead to an inevitable break of trust between the private and public sector.