On 25th May 2019 it will be a year since the General Data Protection Regulation has been legally enforced by the European Union with a vision to safeguard the data of the citizens of the European Union.
The regulation allows citizens full control over the acquisition, process, retention or omission of their personal data, which in turn gives them complete control on how & to what extent they want to disclose their data to the business companies.
According to the French data protection agency CNIL’s Mathias Moulin, May 2018 to May 2019 has been a transition year for GDPR where several national data protection regulators finalized their rules & approaches towards GDPR compliances & decided to probe into the probable violations.
GDPR has been highly impactful in terms of sensitizing the organizations & the common masses at large about the value of data as a currency, to be leveraged only with the consent of the individuals to whom it belongs.
However, GDPR certainly has some visible loopholes. The most obvious one being that the law somehow has failed to impose fines on companies that have failed to adequately protect the customers' data – except for a few well-known industry giants, where the violations were too grave to be forgiven including Google, Facebook & Uber.
The challenges with GDPR have always been immense, majorly because the law has been the only one of its kind ever since its inception. The pre-GDPR world already had moved very far & fast in the direction of improving personalization for the customers & to optimize their experiences deriving data from Internet of Things (IoT) was a common practice. GDPR came as a renaissance for the marketers and compelled them to review their data protection, acquisition, processing, retention, and omission strategies.
The marketers across the world have just started acclimatizing to GDPR as the fines from failing to abide by the regulation are hefty which can amount up to €20 million or 4% of the global turnover of the company in any particular fiscal, whichever is greater. Majority of the firms across the globe were GDPR-phobic when it was launched but have now started reporting data breaches.
According to Stephen Eckersley, the head of enforcement at the U.K. Information Commissioner's Office, the number of data breach reported in 2019 is expected to be approximately twice of those reported in 2018 (36,000 breaches expected in 2019, compared to roughly 18,000 to 20,000 reported in 2018).
The French Data Protection Authority, CNIL, fined the tech giant Google €50 million in January 2019 for violating the GDPR norms of obtaining consent that must be “granular, freely given, informed & must involve affirmative action”.
Google was fined because of its economic model that is dependent on ads & personalization. They violated GDPR guidelines “such as the data-processing purposes, the data storage periods or the categories of personal data used for the ads personalization”.
The penalty came as a result of complaints filed by two European pressure groups: None Of Your Business (NOYB) and La Quadrature du Net in May 2018.
The fine of €50 million, though largest till date, is still minimum for Google, as the maximum penalty would have been €4 billion if were calculated on the basis of the annual turnover of Google.
2. Chat app Knuddels fined €20,000 for Data Breach
In July 2018, the personal information of more than 3,30,000 users of the German social media platform Knuddels were hacked & compromised. The company discovered the breach in 2018 & reported the breach to the German Data Protection Authority, the State Commissioner for Data Protection and Freedom of Information Baden-Wuerttemberg (LfDI).
The accounts of all the impacted users were immediately shut down. In November, the LfDI issued a fine of €20,000. LfDI also discovered that the company stored the password in plain text. The fine was minimal considering that it could have been somewhere close to €10 million if the company would have been fined 4% of its annual revenue.
LfDI however, commended Knuddels for their "extreme co-operation" & the steps that they took afterwards to improve the data security of their users
3. Digital Marketing Company Bisnode levied
On April 1, 2019, the Sweden Headquartered Digital marketing Company Bisnode, which has a location in Poland, was fined €220,000 by the Polish Data Protection Authority, the national Personal Data Protection Office (UODO) for violating obligations under article 14 of GDPR.
The fine has been imposed as a result of the business model of the company which relies on the processing of the scraped data, which they utilize for insights without individually taking the consent of the data subjects.
In addition to the fine, the company must separately send an email to 6 million people within the next three months which will incur an additional cost of €8 million.
Bisnode though has said that it will push the controversial privacy penalty of the apex court of Europe & the final verdict may impact the privacy model of businesses across the globe.
4. Equifax Fined for failing to protect Personal Information
The Information Commissioner's Office fined Equifax LTD with £500,000 for failing to protect the personal information of 15 million UK citizens.
5. Denmark’s Taxi Company Taxa 4x35 for Retaining Customer Data Without Consent
A fine of 1.2 million kroner ($180,000) was imposed by Denmark's Data Protection Authority (DPA) on the taxi company Taxa 4x35 for not deleting customers’ telephone numbers.
6. Other Penalties
GDPR Implementation Challenges
a. Organizations need to hold themselves accountable for the secure processing of data throughout the customers’ buying cycle
b. Fines and Penalties are subjective and depend upon various factors including:
c. The organizations need to match up with the minimum transparency & information requirements to comply with GDPR.
d. The potential costs for Subject Assess Requests (SARs) & data portability has to be abided by the organizations.
e. Under Article 30 of GDPR, the organizations have to keep a track record of the data processing activities
f. The territorial limits of GDPR are blatantly defined & not clear in Article3 (2)
g. Mandatory Data Protection Impact Assessments are additional burdens for organizations
h. Articles 48 & 49 describing the cross-border data transfer are ambiguous
i. It still remains unclear how the European Data Protection Authorities will be able to impose fines against non-complaint nations
In a GDPR compliant age, it is mandatory for the companies to act in accordance with GDPR rules not only to avoid the hefty fines but also to captivate the trust of their customers, investors & marketplace at large. Though across the globe, GDPR is still a newbie that needs to metamorphose into full-fledged & implementation-based form & has many loopholes; abiding by its norms is not only the best possible form of prevention against the hackers but also ensures that marketers are safe from stressful & expensive penalties & their reputation is intact.