GDPR update at one year. The Good and the Bad

It’s been nearly one year since the General Data Protection Regulation (GDPR) went into effect on May 25, 2018, making this the perfect time for a GDPR update. 

It’s certainly made a splash. In fact, according to the European Commission, the Google search “GDPR” was more common for a period in May 2018 than “Beyonce” and “Kim Kardashian.” And throughout 2018, there were more worldwide media mentions of GDPR than of Mark Zuckerberg.

GDPR is often talked about as the world’s bellwether piece of data regulation, but exactly how effective was it in its first 365 days? That’s a question we’d like to tackle in this GDPR update as the landmark regulation nears its first anniversary.

First, a quick review of what GDPR aims to accomplish, straight from the European Commission:

One of the main aims of the General Data Protection Regulation is to empower people and give them more control over one of the most valuable resources in modern economy-their data. We can only reach this goal if and when people have become fully aware of their rights and the consequences of their decisions.

The Good

The European Commission says it is already seeing positive effects of the new rules, suggesting that, based on the volume of complaints, citizens “have become more conscious of the importance of data protection and of their rights.”

The commission released a GDPR update in a January report with figures covering roughly the first eight months:

By The Numbers
95,180: Number of complaints to Data Protection Authorities
41,502: Number of breach notifications
€50 million: Google’s fine for GDPR violations

The broad consensus is that both individuals and organizations are taking their data protection seriously—and that’s a good thing. Organizations are self-reporting at a much higher rate—in fact, an enforcement officer in the U.K. expects a doubling of self-reported data breaches there.

The Bad

GDPR is clearly successful in driving breach notifications, but few fines and penalties were levied in what’s considered a transition year.

Another gripe is with the size of the fines. GDPR gives regulators the ability to levy fines of up to 4% of a company’s annual revenue or 20 million Euros, whichever is higher. The seemingly large 50 million Euro fine to Google actually amounts to only 0.04% of 2018 revenue ($136.8 billion), according to Slate. And that single 50 million fine accounts for nearly 90% of the overall 55.96 million in overall fines levied.

Moreover, some companies appear to not be satisfying the required time frame—72 hours—for disclosures by companies. Facebook waited two months to disclose, according to reports, arguing it still satisfied the requirement based on its own determination of when it discovered the breach.

Says Next Web:

Many companies appear to be interpreting GDPR as narrowly as possible. I’m concerned that privacy is still by default put at risk without understanding or having meaningful control.

Some are particularly pessimistic, arguing GDPR has done more to support large tech companies than to protect ordinary citizens, citing the relaxing of facial recognition regulations and nominal fines levied on violators.

Preparing for What’s Next

It’s only a matter of time before the U.S. and others adopt a regulatory framework akin to GDPR. That means all organizations should either be complying with GDPR or using it as a resource to get a head start on compliance. At the moment, U.S. companies are sorely unprepared, according to a report from App Developer Magazine:

By The Numbers
50%: Less than half of companies have set up an internal GDPR task force
18%: Share of Fortune 500 companies that have appointed a Data Protection Officer, which is a requirement of GDPR
28,000: Number of Data Protection Officers expected to be required in the U.S. and E.U.
70%: Share of employees who have access to data they should not

Chain Store Age suggests thinking of GDPR “as an opportunity rather than as a risk for your business.” It recommends where to start for organizations getting on track for compliance.

1. Establish a dedicated interdisciplinary team that has a deep understanding of business, legal and IT-related processes within your organization.
2. Develop a self-sustaining data protection management system or framework that ensures ongoing compliance and that allows the alignment toward upcoming legal or regulatory requirements (e.g., the CCPA).
3. Internalize the seven key principles of GDPR, as they should lie at the very heart of your approach for collecting, processing and storing personal data. Ensure that all employees understand those principles and their implications for your company.
4. Perform a detailed gap analysis to see where your company stands and follow a risk-based compliance approach as it will be challenging to tackle the entire backlog and to comply with all requirements at once, while preparing for upcoming legislation like the CCPA.
5. With the introduction of double opt-ins and further compliance obstacles, GDPR has significantly impacted retail marketers in the use of contact databases. You need to focus on content syndication and further inbound strategies to compensate for the loss of revenue resulting from those strict requirements. Make sure you have the right technology like automated feed management and content syndication tools to ensure these strategies are effective and efficient.
6. Define a clear process for managing and communicating data breaches to comply with the GDPR requirements (e.g., 72 hours for reporting to supervisory authorities) and to avoid bad press and the loss of consumer trust.

The European Commission, through the lens of GDPR, has its own seven steps for businesses to take. Organizations should anticipate regulations and understand that the U.S. is trending toward a nationwide data privacy framework—and running afoul will be costly.

At Heureka, we recognize the work that has to be done. Unstructured data has always been challenging for organizations to manage and search. It is estimated that 80% of organizational data is unstructured data, meaning it is loose in file shares, cloud repositories or on the physical endpoints themselves. And that unstructured data is growing at an annual rate of 63%.

With GDPR and other new regulations and privacy laws, it’s critical that organizations are able to search, classify and remediate unstructured data on demand and at its source. Heureka has revolutionized this process by giving organizations the power to search across thousands of machines simultaneously and to surgically target personal information, all within minutes.

Organizations can now respond quickly and completely to subject access requests.

Heureka has unique solutions for a number of specific articles within GDPR regulations, and allows controllers and processors to use one common software platform to address multiple needs across an organization. Heureka users can run keyword or regular expression searches or queries along with helpful filters to locate information.

To fulfill specific GDPR requirements, Heureka offers the ability to collect, quarantine or delete files where a request has been made (in compliance with Article 17: Right to be Forgotten). And Heureka’s auto-classification engine can identify users with specific risk with the ability to focus on specific file-based risk.

Ready to update your GDPR process? Visit our GDPR Compliance page to learn more.