Man holding hands over GDPR symbol

GDPR – Three Years In

May 2021 marks the third anniversary of the biggest shake up to data protection legislation for a number of decades. Even in draft form, GDPR promised disruption and enforcement in spades and although the final version had some changes, it still maintained its prowess.  However, did the reality deliver on these and has the carrot won against the stick?

Both at its inception and ratification, the headlines were firmly focused on the penalties involved. Up to four percent of global turnover would mean hundreds of millions of euros for some organisations so surely that would be a more than adequate deterrent. Obviously, supervisory bodies along with the wider business community would prefer to see compliance than arbitrary money making, but at the same time muscle was available for non-compliance on a level never seen before. GDPR provides a great framework for the implementation of robust data protection procedures but it suffers from one fatal bottleneck – the physical ability of the supervisory authorities to enforce.

Since 2018, EU authorities have issued 661 fines totalling over €292 million. Italy tops the leaderboard for the nation with the highest fines levied, while Spain takes the top spot for the nation with the most fines along with highest fine issued to an individual. These numbers sound impressive and suggest the legislation is working.  Everybody will remember the British Airways case where the fine of £183M (reduced to £20M on appeal) serving as a clear illustration of what can be done.  So, it’s a roaring success, right?  Well, not quite.

I personally know of at least several companies who have had special category personal data breaches and the ICO are telling me that it’ll be a minimum of three months before they can even look at it. This isn’t their fault, they simply do not have enough enforcement officers to cope with the number of reported breaches. I’ve no doubt they will get to these incidents, but three months is a long time for the rights and freedoms of data subjects to be harmed.

Now, how you measure success is somewhat is subjective since if your goal was to raise awareness and nudge organisations into sorting themselves out then it’s likely GDPR scores fairly highly, but if your measure was more aligned with changing the way of the (non-IT/industry) business in your local town or city and tackling data handling issues there – well, then, the jury is still out.

Although only mandated by the regulation in certain circumstances, the appointment of a Data Protection Officer (DPO) is a great idea in any organisation. They provide a wealth of knowledge and experience along with steering and guidance for the business. Everybody within the company know they have a central point where they can turn and direct any data related question or query.  The importance of the DPO has increased exponentially in recent years and will get involved in most areas of the business to ensure compliance. Article 38 makes it clear how reliant all business units will be on the DPO to keep everything as it should be. Data Protection Officer’s will increasingly be seen as members of boards and executive teams in the future as their relevance and applicability is not only recognised, but also required in order for the business to succeed in its chosen vertical.

There have been some questions raised over whether GDPR is still current and ‘worth it’ recently. We don’t know if there will be any amendments, or larger modifications, in the short term although highly doubtful. One thing is for certain though: GDPR has set the benchmark for privacy legislation across the globe. The UK Data Protection Act 2018, California Consumer Privacy Act, Australia’s upcoming privacy law revisions are all based around the GDPR framework and adequacy decisions will be judged on the standard.  Even if there are changes over the next six years, the foundations and concepts born out of the regulation are here to stay for the long term.