Last year we wrote a blog detailing the European Union’s (EU) General Data Protection Regulation (GDPR); the GDPR is a regulation in EU law on data protection and privacy for all EU citizens and the European Economic Area (EEA), which also affects the transfer of personal data outside the EU and EEA. In that article, we discussed the regulation’s purpose, why companies (both EU and non-EU based) must comply, and the expected effects it would have on the IT industry. Today, a little more than a year after the regulation has been in effect, we’re going to revisit the topic.
In this article, we’ll give a GDPR refresher, talk about the effect the regulation is having on business, and provide you with a notable list of companies who have already been penalized. We’ll also look at how the IT industry has been affected and what it means for the future of IT.
A GDPR Refresher
On May 25, 2018, GDPR went into effect with the aim of giving individuals more control over their personal data. The regulation applies to any corporation that holds personal data of individuals residing within the EU, no matter where in the world the corporation may be based. Failure to comply with the regulation can cost corporations up to €20 million or 4% of a corporation’s annual worldwide revenue. To date, more than 40% of companies (of those that have a data presence within the EU) have spent, on average, more than $10 million preparing to comply with the EU regulation. However, in the US, only 27% of companies are compliant to date – with many hoping a data breach doesn’t happen to them.
GDPR’s Effect on Business
One year into this new regulation and businesses are feeling its effect. One study suggests that websites are making less money due to GDPR, with an average of $8,000 less revenue per week for the median site (though additional information is needed to confirm).
So how could GDPR be to blame?
Since GDPR makes it harder for companies to collect customer data – due to its fundamental requirement of customers needing to give permission to be tracked – some have posited that has changed user’s web habits. The thought is, with more concern over web privacy, people may be less willing to hand over personal data, which in turn leads to less online shopping. In terms of the business side, businesses have seen a reduction in the amount of data they collect, which in turn affects their ability to make more informed decisions targeting the customer. Both resulting in less revenue for the company.
While these are merely initial studies and theories, in the years to come more research will be conducted to find out GDPR’s true effect on business.
GDPR Penalties Enforced
Per regulations, data breaches must be declared within 72 hours after they’ve been discovered, with the proper authorities and affected data subjects being notified. Since the beginning of the year, over 59,000 data breach notifications have occurred – and only 91 fines levied. There’s obviously an enforcement backlog as high profile cases have taken precedent. Here are a handful of those cases:
- Privacy group NOYB (None Of Your Business) filed a complaint against 8 tech firms for not fully complying with GDPR (not providing data to users). Some of the companies named were Apple, Amazon, Netflix, Spotify, and YouTube.
- French data protection group CNIL (Commission Nationale de L’Informatique) fined Google $57 million due to Google not disclosing how data is collected from users across all its services.
- German authorities levied 41 GDPR-related fines against German companies as of mid-January alone. The highest fine being €80,000 to a company that let health-related data be seen publicly.
- A UK data watchdog fined British Airways $230 million due to a data breach that led to a half-million customers’ information being harvested by a fraudulent site.
- The UK’s ICO (Information Commissioner’s Office) is planning to fine Marriott International up to $124 million due to a Starwood Hotels breach that affected a half-billion guests worldwide.
GDPR’s Effect on IT
While the numbers of some of those fines can be a bit jarring, the companies being fined can surely afford it. For smaller organizations, however, a million-dollar fine or a percentage of their annual revenue can be crippling. In either case, fines – and the negative press and public sentiment they generate – are something companies will surely want to avoid. That’s why there’s such a need for cybersecurity experts. Individuals who can help companies secure their data, remain compliant, and assist with preventing any future data breaches.
The problem, however, is that there’s a cybersecurity skills shortage. While a skills shortage is nothing new to the IT industry (see: IT skills gap), the GDPR has placed an even greater need for organizations to increase the size of their cybersecurity teams. Now more than ever, the need for cybersecurity professionals, compliance professionals, and Data Protection Officers is of the utmost importance. That means the time to partner with an organization who is skilled in finding such elusive talent has never been greater. So if your company is looking to avoid a GDPR infraction, contact PSCI today and we’ll help you find those professionals who can keep your organization compliant and secure.