The European Commission’s Fundamental Rights report reviewing GDPR has highlighted the progress GDPR has made in terms of safeguarding consumer data privacy rights, along with the areas for improvement.
The GDPR watchdogs bulk up staffs and budgets to respond to more security infringements – but what’s most important is a degree of consistency that should follow. Based solely on the cyber security expert’s experiences, the penalty issued is smaller in nature if the organization itself alerts the supervisory authority, as against the authority finding it out by other means.
While COVID-19 has added to a decline in investigations, businesses shouldn’t expect 2020 to be clear of enforcement. Just because fines have not been as robust as anticipated initially, the side effects of GDPR are evident – it is the responsibility of the enterprises to curtail their behavior that society deems unacceptable.
As a result of impending legislation in the US and GDPR, such as the CCPR (California Consumer Privacy Act), companies have invested millions in ensuring data protection. Such an investment surely would not have been possible without the GDPR enforcement.
Regulators cite budgets as a reason they can pursue so many infringements. There was a boost of such regulatory activity in 2019, but the penalties have mostly been smaller than
anticipated. The potential for significant fines remains, but the handed down amount has
hardly been viewed as overbearing.
The report also confirmed that the EU member states increased their budgets by 49% and
staffing pushed up by 42% between 2016 and 2019, for all the national data protection
authorities, in regards to the GDPR.
Some of the member states have been comparatively more aggressive in their pursuit of
infringements, as compared to others who are yet to issue a fine. Between GDPR’s 2018 May enactment and January 2019, 28 EU member states have confirmed upwards of 160,000 breach notifications. Considering the exception of penalties prescribed by the UK’s ICO, during that time frame, data privacy regulators issued almost $126 million in fines. Researches suggest that there shouldn’t be an expectation of infrequent and low penalties.
The public sector, telecommunications, media, and utilities have been found to lag the most in GDPR compliance. Companies who have issued the heaviest fines under GDPR include:
British Airways ($230 million)
Marriott International ($124 million)
Google ($57 million)
Google’s penalty, issued in January 2019, was declared as the first “game-changing” fine of
GDPR. The regulators claimed that the advertising company failed to appropriately relay on the collected consumer data, how long it got stored, and insufficiently gathered consent.
The actual problem is that the majority of EU citizens, about 60%, are aware of their right to access personal data collected by public administrations. However, only half of them are aware of their rights extend to private companies. So, GDPR can only be upheld once the citizens are entirely aware of their rights and the associated risks. Especially in the current COVID-19 situation this has turned to be an unavoidable thumb rule.