Happy third birthday to the European Union’s General Data Protection Regulation (GDPR), which came into enforcement on May 25, 2018. Despite its teeth, with data protection authorities (DPAs) able to fine companies up to 4% of their global revenues, it thus far hasn’t made headlines for imposing hefty fines.
It would be a mistake, however, to dismiss the impact of these rules and their enforcement just because DPAs have not made use of the maximum penalties. “The drops of rain make a hole in the stone, not by violence, but by oft falling,” wrote Latin poet Lucretius, and that’s how we should consider the impact of GDPR.
Over the last three years, European DPAs have delivered about 700 enforcement actions according to the GDPR Enforcement Tracker website. Courts have evolved their guidance and tooling on international data transfers, and the GDPR continues to shape the regulatory environment globally, with many current and upcoming privacy bills replicating its standards and requirements. A closer look at some GDPR enforcement actions shows that:
- Data protection authorities are enforcing the rules. Despite the global pandemic, GDPR enforcement continued at a steady pace. With over 220 enforcement decisions made so far, Spain leads the pack of most active regulators across Europe, followed by Italy and Romania. Overall, DPAs have levied fines for a total monetary value of €280 million. Italy has so far imposed fines for the highest amount — more than €76 million — and if all fines are confirmed, France’s Commission Nationale de l’Informatique et des Libertés (CNIL) and Germany’s Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI) will be following suit.
- Failures of data governance trigger the most fines and penalties. According to the GDPR Enforcement Tracker website, DPAs have carried out about 55% of their enforcement actions for infringement of Article 5 (principles of processing of personal data) and about 40% of actions for infringement of Article 6 (lawfulness of processing). These rules contain key data governance and privacy principles, such as ensuring that data is linked to a specific purpose, data accuracy, quality, and fairness of processing, etc. Data shows that firms have also struggled with rules about collecting data lawfully from individuals, such as through consent or legitimate interest, etc.
- Employee privacy rights are climbing the enforcement priority list. European regulators have so far issued about 50 fines and enforcement actions for violations of employees’ privacy. Some of these relate to employers’ failure to complete an employee request for data deletion or access. Other investigations uncover critical risks that companies often fail to prioritize. Employee personal data is primarily unstructured data, and it has traditionally escaped the same level of control and attention that companies apply to consumer data. Hence, it was not a surprise that the regulator found that excessive employee personal data was kept in instant messaging tools, emails, and other channels that employees used daily to communicate.
- Individuals’ privacy rights make their way into new privacy bills, but companies struggle. Regulators are slowly, but increasingly, investigating companies that fail to deal with individuals’ privacy rights properly (such as data access and data portability). While fines for failing to comply with data access and deletion requests, as well as objections to processing, have grown significantly in the last 12 months, companies continue to do a poor job at providing privacy notices with appropriate information. This includes information on individuals’ privacy rights and how to invoke them. And this problem might grow further, because other privacy bills, such as the California Privacy Rights Act (CPRA) and the Brazilian General Data Protection Law (LGPD), all contain similar rights.
- Data residency requirements are the gifts that keep on giving. There’s lots of action on this front. After the invalidation of the EU-US Privacy Shield, authorities on both sides of the Atlantic are still discussing a potential replacement. Meanwhile, the European Commission is finalizing updates to the Standard Contractual Clauses (SCC), which can be used to transfer personal data from the EU to third countries. The European Data Protection Board (EDPB) also published guidance on new risk assessments and additional safeguards, such as encryption, that companies must put in place when transferring personal data to third countries that raises particular concerns. New data protection adequacy decisions are in the works for both the UK and South Korea.
When it comes to privacy, the lack of headlines is misleading. With governments around the world adopting new privacy regulation, consumers systematically considering privacy as a key factor when deciding what to buy and with whom to share their personal data, and employees paying more and more attention on how their employers collect, process, share, and dispose of their personal data, this is no time to be complacent.
Enza is a senior analyst on the security and risk team of Forrester and a Certified Information Privacy Professional (CIPP/E).