GDPR: A review of 2019 and what to expect in 2020

GDPR. General Data Protection Regulation. Four little initials that have caused mass panic, organizational changes and spurred action internationally all within a span of less than two years.

While GDPR went into effect in May of 2018, this past year, 2019, was when we truly saw its impact. All organizations under the scope and jurisdiction of the regulation have to fulfil the requirements that calls for legal, organizational and technical knowhow. The requirements of the GDPR are in effect for any organization, regardless of their location, that processes personal data (including transmitting and storing personal data) of European Union/EEA citizens. And its authority is no joke. 

One of the repercussions of non compliance with GDPR is fines and it was exactly this impact many organizations felt first hand in 2019. According to the GDPR the maximum fine is €20 million or 4% of global revenues, whichever is higher. This level of fines is far above anything that has ever previously come into effect for data security breaches. Proving one point that’s been talked about in the boardroom for years now, data security is a top priority for each and every business. 

In 2019 British Airways was imposed the biggest fine as of yet, over €200 Million for a breach that occurred in 2018 just after the GDPR went into effect. This past year we also saw Marriott Hotels fined €110 million for data exposure of guest information that may have actually begun back in 2014 upon its takeover of the Starwood Hotel group. This points to the scrutiny and due diligence that must be deployed in meeting GDPR and ensuring all access points, even those of significant past transactions like mergers and acquisitions, to ensure compliance. It was not just private organizations that the ICO went after, but public services such as hospitals like in Portugal and Germany, the Professional Football League of Spain, €10 million to Germany’s telecom firm, and even Google “for lack of transparency, inadequate information and lack of valid consent regarding the ads personalization” in France.

But Google is a US-based business, why was it fined by the ICO? In fact one of the largest hurdles for US businesses in 2019 has been understanding and implementing appropriate changes to comply with GDPR. Because GDPR explicitly states that its regulations apply not only to EU businesses but to any organization that may reach, collect and store data of EU citizens. This essentially means all organizations’ websites accessible within EU countries fall under the grasp of the ICO and the regulations of GDPR. In fact there is a booming industry for companies to provide GDPR compliance services and assist US businesses. We at Complior offer assessments, consultancy, training, project management and even fulfilling the DPO role as a service which can be key for small to medium sized businesses. Wherever your business is headquartered around the globe, if it ever reaches EU citizens which is almost guaranteed, you are required to abide by the GDPR. While the process seems arduous, timely and expensive, and it can be, we can work with you, your existing team and your budget to assist in the process and ultimately avoid significant brand-traumatizing effects

With 2019 behind us and numerous examples of the repercussions of GDPR non-compliance evident, what can we expect for 2020?

Dubbed GDPR-lite, the California Consumer Privacy Act is effective January 1, 2020. While the CCPA doesn’t encompass all businesses but only those that meet one or more of the following three criteria, “a gross revenue over $25M, more than 50,000 customers, or whose revenue is 50% or more based on user data” and its fees are much lower ranging US$2,500-US$7,500/occurrence as reported by the Guardian, it shows that data security regulations are becoming a norm in today’s world. More countries around the globe are adopting similar laws and in the next decade we may have to ask, will there need to be alignment between regulations? Will there need to be a regulatory body globally? Businesses today are accessible by anyone with a wifi connection wherever in the world they may find themself, how do we protect their personal information?

Another question looming in 2020 is around the collected funds from GDPR fines. Where will the money collected from fines by the ICO in the EU and other regulatory bodies like in the US go and what will it be used for? We are talking potentially billions over the next few years and an uncapped potential with the 4% of global revenues regulation. More than likely in 2020 we will start to see answers to some of these questions as the next phase of GDPR, perhaps some transparency from the ICO and undoubtedly more organizations being fined in 2020.