GDPR Report Card: Year Three – Fines, New Processes and More

Since its rollout three years ago, the General Data Protection Regulation has grown into a global change agent. Discover what's changed and what challenges are still ahead.

May marks three years since the rollout of the General Data Protection Regulation (GDPR). In that time, GDPR has grown into a massive influencer and change agent both in Europe and around the globe. Every one of the EU’s 27 Member States plus the United Kingdom has issued at least one GDPR fine for a price tag of over €292 million. Despite the pandemic, fines were up 19% in 2020 over the year prior.

The gold standard for data privacy

GDPR is heralded globally as the gold standard of data privacy regulation. Scores of other countries around the globe have or are in the process of creating their own legislation, each with significant GDPR similarities including the LGPD in Brazil, the Privacy Act Amendment in Australia and a Personal Information Protection Act in South Korea. In the U.S., the California Consumer Privacy Act (CCPA) is in full effect and several other states are addressing their own data protection needs with bills that are in various stages of progress.

To comply, many individual organizations are adopting elements and ethos of GDPR into their own data privacy strategies. It’s a logical thought process for companies to follow – if you can answer the questions laid out in the GDPR Data Protection Impact Assessment (DPIA) and add sufficient measures to protect the data, you have a great starting point for GDPR compliance as well as adherence to the new wave of data protection regulations being published globally.

The DPIA is just one of the requirements laid out in GDPR, but it is foundational to how you understand and mitigate potential risks to data before launching a new project. The questions help you identify what type of data you have, what the new project will process, why, who has access to it, what you are doing to protect it and if/when you will erase it. Answering these questions can help you identify and implement appropriate risk mitigation measures from the very beginning; ensuring data privacy hygiene and compliance is already baked in, rather than adding it on as an afterthought.

What’s next for GDPR?

GDPR has brought much-needed process and oversight to the protection of personal data to be sure, but it still hasn’t instilled greater confidence in the minds of most consumers. The appalling data leaks we read about in the headlines from companies around the globe feel like just the tip of the iceberg.

It also hasn’t necessarily leveled the playing field for organizations that are trying to comply. The largest share of the GDPR price tag continues to be paid by SMBs that sit within an enterprise’s supply chain. Without GDPR compliance and the data protection assurances it requires, the SMB will lose its place in the supply chain. The revenue they generate from their enterprise business is critical to their ability to meet data protection standards and ultimately, stay in business.

Some large tech companies make a business out of data mining, and for them, a re-evaluation of the ethics behind this practice must take place. The absence of real, positive outcomes for the consumer through that mining should lead regulators to set their sites on those companies even further and hit them with hefty fines. This way, we are leveling the playing field for businesses and instilling greater confidence in the minds of consumers.

In the sea of rolling data privacy legislation, organizations large and small must work to get a handle on the data they hold and the purpose behind having it. Introducing a software asset management program can be an essential step in that process. A comprehensive SAM program can provide complete visibility and usage data of your software, applications, cloud and hardware assets so that you can ensure you have visibility over your environment. 

There’s more data privacy work to be done

Clearly, GDPR has more work to do when it comes to compliance for all. And this is ultimately the change we are hoping to see from GDPR – a forcing function in how data is collected, handled and protected for the benefit of individual consumers. After all, they are the ones who pay the price for poor data protection hygiene. While GDPR certainly hasn’t solved all our data privacy problems in three years, we continue to make progress.