GDPR at One Year - An Assessment
In May the European Union’s comprehensive data privacy regulations will have been effect for one year. Anyone still in doubt regarding the seriousness with which these rules are being enforced should consider that in the first nine months alone more than 59,000 data breaches were reported and 91 fines were assessed, including:
- a 50 million Euro fine to Google for failing to obtain user consent before collecting and processing data,
- Facebook, seemingly never without a bad news day, has been charged by Germany with failing to allow users to opt out of its penchant for sharing personal tracking behavior with external websites and apps, and
- in Portugal, a hospital was fined 400,000 Euros after staff members, including doctors, were able to access the medical information of all patients.
Even CCTV owners are accountable - in Austria a retailer with a closed circuit camera in front of the store was fined for violating the privacy of passersby in what was determined to be “public space.”
An analysis of regulatory scrutiny reveals a pattern to specific areas of concern:
- Passwords must be encrypted,
- Access to data must be logical and controlled, and
- Users must be able to actively elect to opt-in to the collection of their information.
It is significant to remember that GDPR authority to impose penalties does not stop at the borders of Europe. As the examples above indicate, any corporation conducting data collection or processing within the EU member states is subject to penalty regardless of the location of its headquarters. And the fines are significant - minor infractions can result in assessments of up to 12 million Euros or 2% of annual revenue; for serious breaches those numbers are doubled.
Although data privacy has become effectively federally regulated within the EU, the United States remains far behind in developing uniform rules. Data privacy falls under the purview of the Federal Trade Commission and eight other agencies where little progress has been made to address the concerns embodied by the EU standards.
Into the breach come the individual states, with California enacting GDPR-like regulations that become effective in 2020. As many of the tech giants are located within California the pressure will only be increased for them to clean up their business practices and provide users with greater control over how their personal information is collected, processed and distributed.
U.S. companies would be well-served to adopt effective data management programs and consider the following:
- Audit the personal data collected and determine which is “critical” to the company,
- Develop a process for users to opt-out of data collection, and
- Create and maintain written data protection policies, including security procedures and employee training.
Although the privacy genie is long out of the bottle, corporations are subject to financial and shareholder pressures that transcend state, federal or EU regulation. However self-serving, these influences may be the last bastion of defense against an implacable tide that seems forever rising.
For further reading on this topic:
Leave a Comment