A Year into GDPR, Where We Are and What’s Coming

The European Union’s (EU) General Data Protection Regulation (GDPR) took effect on May 25, 2018. Today, let’s look at eight common GDPR facts (as reported by the European Commission in January) to help us understand how things have changed in the EU since the implementation of GDPR.

Note: If you’re not sure what GDPR is and what it intends to do, check out our introduction to GDPR that we wrote in an earlier blog post.

1. There are only five EU countries that have not yet adopted the required national legislation required in GDPR – Although GDPR is directly applicable in all EU countries, it also requires national legislation in each member state to satisfy its requirements. As of January 2019, only five countries (Bulgaria, Greece, Slovenia, Portugal, and Czechia) are still in the process of adopting the required national legislation that goes along with GDPR.
2. There haven’t been too many GDPR fines so far – As of this writing, the most significant GDPR fine so far was for Google, who in January was fined 50 million Euros in France for lack of transparency and consent in advertising personalization. Other fines have been reported from Germany (20,000 Euro) for violation of data security obligations, Austria (4,800 Euro) for illegal video surveillance, and Portugal (400,000 Euro) for a hospital that had illicitly accessed patient data. According to some sources, the GDPR has levied around 91 fines so far but may be getting ready to impose more fines as the regulation continues.
3. Fines aren’t the only penalty for GDPR violations—One of the reasons GDPR fines may not have been as high as feared is that the GDPR has established a range of penalties for violations, not just fines. Fines, of course, are the scariest penalty and can be levied at a rate of 20 million Euro or 4% of annual turnover (numbers which the European Commission states are “…absolute maximum amounts”). The GDPR also has several other corrective measures for violations, such as warnings, reprimands, and orders to comply with subject data requests. The European Commission states that any decision to impose fines must be “…proportionate and based on an assessment of all the circumstances of the original case.” Further, the amount of the fine depends on the circumstances, the gravity of the infringement, and whether the infringement was “intentional or negligent.” Meaning it is possible to have a GDPR violation without a fine but the amount of the fine, if imposed, will depend on the circumstances.
4. GDPR Complaints are rising – From May 2018 through January 2019, 95,180 GDPR complaints have been filed to Data Protection Authorities (DPA). Complaints can be submitted from individuals or from organizations mandated by individuals that were created to file complaints. However, more charges do not equal more fines, as per point #2, relatively few companies so far have been fined for GDPR violations.
5. Most GDPR complaints reported so far concern telemarketing, promotional e-mails, and video surveillance/CCTV—Based on complaints received May 2018 through January 2019, these are the most significant areas of concern so far.
6. GDPR compliance has spread to Japan – On January 23, 2019, the European Commission and Japan adopted an adequacy decision stating that each other’s data protection systems are “…adequate, allowing personal data to flow freely between the two countries”, creating what the EC calls “…the world’s largest area of safe data flow.” This allows EU personal data to flow freely between the EU and Japan, effectively spreading parts of GDPR to Japan, because they are enacting safeguards that are adequate for GDPR.
7. GDPR compliance may soon spread to South Korea– The EU also announced it was negotiating an adequacy decision with South Korean. If realized, GDPR standards may also apply to EU-to-South Korea data sharing, further spreading the standard.
8. GDPR data breach notifications were high after eight months—One key area for organizations implementing GDPR is the requirement to notify supervisory authorities of a data breach promptly, within 72 hours. According to the GDPR, 41,502 breaches were reported from May 2018 through January 2019, a relatively high number.

While these are only partial year numbers, they give us a feel for the effect GDPR is having on European data protection. These facts present a picture of a young standard that is gathering strength. Not all countries have finished implementation. A fairly large number of data breaches and complaints have been lodged, and fines as a part of possible GDPR penalties are still relatively small.

It’s safe to say that GDPR isn’t going away. If anything, it’s starting to influence data protection standards outside of the EU in Japan and possibly South Korea. It remains to be seen whether any other countries adopt adequacy agreement where non-EU data protection standards will support GDPR as Japan currently seems to be doing. GDPR is a relatively young data standard that as it reaches its first birthday, seems to be having a small but growing effect on the EU and the world. It will be interesting to see how much GDPR’s influence grows in the coming years.