Happy Birthday GDPR! Key things you need to know on its 3rd birthday.

Happy Birthday GDPR!

Three years ago, on May 25th 2018, the toughest security and privacy regulation in the world became law. The General Data ProtectionRegulation is a legal framework that was created to strictly regulate personal data, for users and businesses in the European Union. GDPR gives users additional rights and control over their data, allowing them the choice over who is gathering, analysing and using that data. Did you know that…

1. GDPR reaches businesses outside the EU

The GDPR regulation applies to companies operating in the EU and also to non-EU businesses who process the data or provide goods and services to residents of the European Economic Area ( EEA).

2. Processing ‘personal data’ of EEA residents includes even a business e-mail address.
This rule has a significant impact on companies that may have EEA residents in their database or who use their products and services. It means many global companies need to get their data collection, website and company policies aligned with the GDPR requirements.

3. The GDPR imposes substantial fines for non-compliance

There are two levels of GDPR fines:
• the lower level is up to €10 million, or 2% of the worldwide annual revenue from the previous year, whichever is higher.

• the upper level (For serious violations that include inappropriate transfer of personal data to a country that lacks “adequate” data protection) may be the higher of €20 million or 4% of the worldwide annual revenue.

4. The total amount of GDPR fines is €293 million
In 2021, Italy tops the rankings for aggregate fines of just over €76 million since the introduction of GDPR . Germany is in second place with €63 million and France, third place with €54million. UK is runner up with total fines of €44 million.

5. Some high profile GDPR fines are…

In January 2019, it was found that Google failed to provide enough information to users about consent policies and did not give them enough control over how their personal data was processed.
This resulted in a €50 million fine from the French Data regulator CNIL in what remains the biggest GDPR fine handed out in a single case.

The Swedish multi-national clothing company, H&M required its employees to attend return-to-work meetings after having time off. Information taken from the non-consensual recording of these meetings became available to over 50 H&M managers and made up part of what would later be described as ‘excessive’ records kept about the work force and their families.
The Data Protection Authority in Hamburg fined H&M €35 million for the illegal surveillance of its employees.

British Airways suffered a cyber attack in 2018 but did not detect it for more than two months.  During this time, hackers stole personal data of more than 400.000 customers.  Following this incident, it was judged that British Airways was processing a significant amount of customer data without the appropriate security measures in place.
In 2019, the ICO announced a fine of €204,6 million (£183.39 million) to British Airways for violation of GDPR. This would have been the biggest GDPR fine ever, however, it was reduced to €22 million (£20 million) in light of the recent COVID-19 pandemic and its effect on the airline industry.

6. Non-European Countries that still fall under the GDPR

There are dependent territories/countries that are technically in the EU though not in Europe that are governed by GDPR. These include: Azores, Canary Islands, Guadeloupe, French Guiana, Madeira, Martinique, Mayotte, Reunion, and Saint Martin.

7. In 2021, there has been a 19% increase in the number of breach notifications, from 278 to 331 breach notifications per day.
DLA Piper: GDPR data breach survey

8. Whilst GDPR is the most stringent of privacy laws, it is probably the most practical to be compliant with. 

Businesses are required to take a risk based approach to managing the data they hold and implement mitigations that are appropriate and proportionate to that risk.

9. IASME Governance is an effective way of demonstrating that you have taken into account the requirements of the General Data protection regulation (GDPR) – find out more here.