GDPR one year on

As anniversaries go, it’s not really the sort to result in mass celebrations. It’s doubtful anyone has even baked it a birthday cake, although the regulators behind it could probably have afforded to lay on a state banquet given the fines that are known to have been levied. It does, however, deserve at least some recognition, so here is a quick rundown of the first year of GDPR.

More than 375,000 organisations are documented to have registered DPOs. The super-efficient Germans have been leading the way with at least 182,000 organisations. This puts them way ahead of the French, with 51,000 organisations. The Italians come in a close third with 48,000 organisations. Then there is another sharp drop off with the fourth-placed UK registering just 32,000 organisations and the Spanish registering 30,000.

There were at least 144,000 individual complaints. Common issues raised included: access requests, right to erasure, unfair processing, disclosure and unwanted marketing. Complaints didn’t just come from members of the public. It appears some employers didn’t get the message that their employees’ data was also covered under GDPR and so employee privacy also featured highly on the list of complaints.

If there was one aspect of GDPR that raised eyebrows amongst those in IT, it was probably the fact that GDPR made it mandatory to report data breaches, rather than just recommending it as “best practice”. At the end of the first year of GDPR, we can see that more than 89,000 data breaches were reported. Even so, it might be forgivable to wonder if all companies really are reporting data breaches the way they should or if some of them at least are still taking the view that “silence is golden” and taking their chances with being caught.

This may not be particularly impressive in and of itself. It does, however, raise some interesting questions about what the future might bring. In principle, GDPR applies to any organisation that handles the data of EU residents.

In practice, it will be very interesting to see to what extent, if any, the EU is actually able to enforce this in real life. After all, there are certain countries that are notorious for taking a very relaxed approach to enforcing intellectual-property laws, even when they are held by major corporations in superpowers like the U.S. That being so, it’s arguably rather difficult to see why they would particularly care about GDPR or what the EU could do to make them care. Only time will tell.

The EU, it appears, wasn’t joking about enforcement action. In the UK, the stand-out fines, so far, have been £183 million for BA and £99,200,396 for Marriott. The executives in these companies can, at least, console themselves with the fact that none of them have been sent to prison, which is also possible under GDPR.