It’s now been over a year since May 25, 2018 – or “GDPR Day,” as it was known when GDPR finally took effect, about two years after it was passed into law in 2016. Regulators have been slowly easing into using these new data regulations, and some massive fines have already been handed out – with companies like British Airways and Marriott already paying hundreds of millions of dollars for data breaches.
However, many companies are still not taking GDPR seriously, despite the fact that the new penalties which may be leveled against businesses of any size could be crippling, and destroy much of the revenue and profitability of smaller companies.
Because of this, you need to take GDPR seriously – even if your competitors or other companies in your industry aren’t. Let’s explore this topic in more detail now.
It’s been found by Forbes that, after a year, many websites in Europe and abroad did not abide by GDPR regulations. The top 100 most-visited websites in 28 EU member states were tested to check their GDPR compliance.
The results were striking. 51% of examined websites did not have a clearly-disclosed privacy policy. According to ImmuniWeb, the source for the study, their privacy policies were either hidden or hard-to-find, which is a clear violation of GDPR regulations and could lead to a warning or a penalty.
In addition, about 4 out of 5 (80%) of these websites did not comply with rules about how tracking “cookies” are used on their websites. GDPR requires companies to disclose that cookies – which track user activity online – are used, and how they are being used. Companies must disclose if they are tracking user data, and inform users about what they do with that information, and they must also use secure methods to keep this information safe and free from data breaches.
The vast majority of the top 100 websites in the EU did not abide by these regulations properly, which could open them up to fines under GDPR regulations. These are not small websites, either – they are some of the most popular in all of the EU!
Throughout the first year of GDPR, European data regulators have been quite busy – and there have been a huge number of both data breaches and complaints which have been reported to the relevant authorities.
According to an infographic released a year after GDPR took effect, there have been a total of 89,271 data breach complaints reported to the agency over the last year – companies are legally mandated to report a breach or data loss within 72 hours, or face stiff penalties for not abiding by GDPR regulations.
That’s not all, though. As citizens of the EU become more aware of their rights and what constitutes a GDPR violation, complaints have risen dramatically. Since May 2018, more than 144,376 complaints related to GDPR violations have been logged by all European data protection authorities. These complaints can come from private individuals, companies, and any other person or party who notices a GDPR violation – and they can result in hefty fines.
If you’re part of an American company, you may be wondering why you should be concerned about GDPR, particularly if you do not do much business with countries in the EU. Any company that does business with an EU country protected by GDPR can be fined and penalized if they do not abide by GDPR regulations.
As GDPR states, its regulations apply “… to the processing of personal data… regardless of whether the processing takes place in the Union or not.”
In other words, if you’ve ever done business with an EU citizen, you are technically obliged to abide by GDPR regulations. Though it is unlikely that you will be investigated or fined, you still are legally bound by GDPR.
The maximum possible penalty for a GDPR violation is up to 4% of your company’s global turnover (revenue). Already, data regulation authorities have handed out some staggeringly large fines to American companies. Google was fined an eye-wateringly high $56 million USD (€50 million) for violations of its transparency obligations under GDPR articles 12 and 13, and its lack of a legal basis for the processing and storage of personal data, under Article 6 of GDPR.
Other high penalties issued in the last year include a fine of nearly $230 million USD for British Airways – which is equal to only about 1.5% of its global turnover. Under GDPR regulations, the penalty could have been a maximum of nearly $600 million USD. There are few companies who can withstand this type of penalty without serious cash flow issues.
Marriott will also be fined more than $124 million USD for its Starwood data breach – about .6% of its global turnover. The maximum possible penalty for this violation could have been as high as $830.4 million USD, based on Marriott’s estimated 2019 turnover of $20.76 billion.
It’s hard to overemphasize just how large these penalties are, especially compared to the maximum penalties of previous years and decades.
In the UK, for example, the Data Protection Act 1998 capped the maximum damages from a single data breach to £500,000 – and even the most severe data breaches, like the Facebook Cambridge Analytica scandal – were only subject to this maximum penalty.
As time goes on and companies have more time to learn about GDPR and move to ensure that they are GDPR-compliant, we expect that the fines and penalties issued by national data protection regulators will only become more severe.
Whether you’re based in the US or internationally, GDPR affects you, even if you only do business with a single citizen, company or entity of the EU. Because of this, you can’t afford not to understand the European General Data Protection Regulation.
Ignorance is no excuse when it comes to the stiff penalties, fees, and fines related to GDPR violations. To educate yourself, it’s important to invest in comprehensive GDPR training, and make sure that all of the data of your customers and clients will be protected from breaches.
So don’t wait. If you have not trained your employees on GDPR or taken the time to make your website or your company’s data collection services compliant with these regulations, now is the best time to start. As time goes on and GDPR enforcement continues to become more strict, you are more likely to be hit with a fine. So take action now, and make sure you protect your business with GDPR training.