What Can We Learn From GDPR So Far?
GDPR fines shot up in 2020 as regulators start to crack down further, but it’s proving to be complicated for both regulators and the regulated.
The arrival of GDPR felt like a storm brewing for many organisations. Some companies feared they would be forced to rethink their entire operating models. That hasn’t happened, but the regulations have still had a profound impact on how companies use data.
Getting into its stride
2020 was the year fines really started to land. Until then, many of the breaches being reported to regulators still fell under the old regulations. A sharp increase was almost inevitable.
Since GDPR’s inception, European regulators imposed more than €160 million worth of fines in 2020, with the majority of them having been issued since January 2020. Of the 281,000 breach notifications issued 77,747 have come from Germany, 66,527 from the Netherlands and 30,536 from the UK. Italy has levied the biggest aggregate value of fines totalling €69.3million. France has, for the most part, been pretty quiet, but it did break the record for the largest single fine of €50 million levied on Google.
Big Tech in the firing line
Google’s fine for a “lack of transparency, inadequate information and lack of valid consent regarding ads personalisation,” served as a wake up call for big tech. Facebook has also found itself in the firing line and has set aside more than €300 million for possible GDPR fines.
However, elsewhere, fintech firms suspect they may have spotted an opportunity. As awareness has grown, they hope customers will gravitate towards those companies they feel are more tech savvy, such as fintech start-ups. Those whose models are founded on technology, so the argument goes, will find it easier to embrace the changes GDPR forces on them.
Larger financial institutions that store their data in multiple countries find themselves needing to comply with multiple sets of rules. This adds to the complexity, and burden of regulatory compliance. The number of large firms who have been penalised, or are worried about being penalised suggests many still haven’t fully got to grips with the changes. This is where Waymark comes in, helping firms by providing a straightforward approach to understanding regulatory burdens and keeping up to date with these as they change.
Brexit
Brexit has only served to increase regulatory complexity. With the UK now fully outside the EU, companies must comply with two sets of data protection laws if they have any data moving between the UK and EU. This is one area many firms haven’t fully understood yet.
Although the UK’s own data protection laws closely mirror Europe’s, there is the risk that they may diverge over time. While Europe has emphasised privacy, the UK has shown itself to be more concerned about security. Companies that hold data in the EU and UK will have to review their policies and operations to ensure cross-jurisdictional compliance.
Throughout the Brexit transition process Waymark’s platform has been flagging the regulatory impacts to users and summarising key news items. For instance when the European Data Protection Board (EDPB) published guidance on data transfers to the UK, we were able to automatically highlight this in user-configured feeds, ensuring this came to the attention of relevant users soon after publication.
Showing lenience
As well as high-profile fines, there have been some instances where companies have got off lightly. The dramatic reduction of the British Airways fine from £183 million to £20 million raised eyebrows. Marriott also saw a significant reduction in its fine. In both cases the reduction was down to the commitment of these companies to improve their data protection measures and an acknowledgement of the difficulties facing companies in times of COVID-19. They show that, although fines are still high, regulators are not without a sense of empathy and a desire to recognise when - despite slips - companies have appropriate cultural and operational measures in place to mitigate risks.
The example of GDPR to date shows that regulators are upping their game on enforcement. They are willing to levy substantial fines but may show some leniency if there are mitigating circumstances and a willingness to put things right.