Three Years of GDPR – a Look Back

It might be hard to imagine, but it has been three years since the General Data Protection Regulation (GDPR) was implemented in the European Union (EU) on 25 May 2018. Time certainly does fly by when you are trying to protect data. Nevertheless, the term ‘GDPR’ has set a precedent on what is to be expected from organizations when it comes to protecting personally identifiable information (PII) of EU data subjects and has served as the foundational inspiration for many international data security regulations.

Key stats so far:

• 272.5 million EUR in fines have been imposed in Europe since the implementation of GDPR.
• More than 281,000 data breach notifications have been issued.
• The highest GDPR fine to date remains 50 million EUR which the French data protection regulator imposed on Google.

Looking at the regulation, can it be considered a success with what it was set out to achieve? The answer is not as straightforward as you may think. Going by news headlines, we regularly see businesses fined for non-compliance with significant penalties being levied. In the EU alone, over €30 million in GDPR fines have already been issued to organizations in 2021. But there is more to it than just the fines, and we cannot judge the success of GDPR by the number of those penalized.

Elevated awareness

GDPR was mandated to improve the security and privacy of individual’s sensitive data by those handling it. It demands transparency of the processes, and its impact is visible, not just in Europe but around the world. It can be said that GDPR has elevated the general public’s awareness that they have a right to data security, which has been instrumental in building a culture of data privacy and protection. So much so, there are a host of countries that have either implemented or are close to adopting similar data privacy laws, including Brazil and the LGPD, USA and CCPA, New Zealand and the Privacy Act, Canada and the Digital Charter Implementation Act, South Africa and POPIA, etc. With sensitive information constantly crossing borders, data privacy, security, and data handling have become a global issue. GDPR brought that to the forefront.

When you break it down, GDPR has set the standard for what organizations must do to keep PII secure, including what security technology is acceptable to implement to meet compliance effectively and efficiently. This might involve businesses investing substantial amounts of resources to acquire the necessary tools to achieve this, but it certainly outweighs the potential fines and reputational damage should a business be found non-compliant.

So, what does the future hold for GDPR?

In the relatively short time that GDPR has been in effect, it has already made a positive mark in this digital world. Other nations have taken note, and we see similar data protection and privacy regulations emerge. This is forcing many enterprises, especially those with an international presence, to consider processes and technologies that allow for cross-regulatory compliance because there are many similarities between these regulations in what they demand in data collection, handling, and processing.

Naturally, there will be developments in the regulation to ensure individuals are better protected. This will lead to evolutions in the data protection methods to help meet these requirements and make compliance easier. Indeed, the focus must shift to a data-centric approach whereby organizations protect the data itself rather than solely the perimeters around it. Consequently, this will lead to a significant reduction in the impact of data breaches and fines for non-compliance because with data-centric security, even in the event of a violation, no sensitive data is left exposed.

So, three years on, can we say GDPR has guaranteed the complete safety of individuals and their data? Not entirely, but it has certainly provided a solid base and EU residents have a better understanding of data privacy than they did before GDPR.