One Year into GDPR, Many Organisations Are Still Not Compliant

One year after the “fever” called GDPR passed by, many took measures to comply with the regulation, some, however, chose to stand idly by and wait to see what will happen. It is not rare to open a company website to discover that their Privacy policy still revolves around measures implemented by the Data Protection Act 2003 or that US/Australian companies still resist hiring an EU Representative.

What the Numbers Say

The GDPR came into effect on May 25, 2018, last year, affecting how organisations use, store, transmit and process the personal data of EU residents. Organisations worldwide involved in any of those actions had to respond accordingly by reviewing, revising and updating relative policies and procedures in accordance with the new requirements. As you’re probably familiar violations of GDPR carry fines up to €20 million, or 4% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher. So twelve mounts later why are some organisations still struggling to meet their compliance obligations?

  • A survey by  IT Governance reveals that, as of December 2018, 71% of organisations are still not GDPR compliant.
  • Another survey, conducted in March 2019 by NCipher Ponemon on encryption trends, shows that only 45% of IT companies have implemented “appropriate measures” under the form of encryption.
  • What’s even more shocking is that 25 of 28 official EU government websites may not even be GDPR compliant per a March 2019 Cookiebot report.
  • 56% of UK businesses admitted that they had failed to request consent to store sensitive data and 16% said they had knowingly ignored subject access requests – from a survey by CybSafe.

Read more: Ad Tech Companies Track EU Users Visiting EU Government Websites

If we have to summarise this first year of GDPR, we could conclude that this first year was relatively quiet regarding activity to enforce the regulation. None of the imposed fines hit the promised maximum of €20 million. As a whole, this year has been one of learning and continuing to ramp up to full enforcement as precedents from regulators are set. At the same time, it will be totally wrong to conclude that the regulators are not going to enforce the GDPR in its full force. What we’re seeing now is an effort to enforce the right approach and advice rather than just slapping organisations with crippling fines.

Fines for the Non-Compliant

Fines are the ultimate result of non-compliance and organisations around the globe need to be aware of the travails of the unfortunate few who have felt the fallout from the GDPR hammer coming down.

The first major fine was issued in Portugal for the amount of €400,000. The recipient was a Portuguese for non-compliance with the EU GDPR by not separating access rights to patients’ clinical data.

Read more: Portuguese Hospital Fined €400,000 for GDPR Non-Compliance

At least 91 fines were served up during the first eight months of the regulation. In the end, the total penalties imposed under the statute added up to €55,955,871 which might sound impressive if you don’t take into account that Google’s €50 million fine by the French DPA for using personal data inappropriately is responsible for 90% of that amount.

Read more: French DPA Fines Google $57 Million for GDPR Violations

More importantly, the Google case highlighted that product design and consent are key components of GDPR compliance – not just how you respond to a data breach or manage cookies. Additionally, while Ireland might be the EU business headquarters for many tech giants, EU regulators view the location where privacy decisions are made as paramount when determining jurisdiction. As a result, regulators can still take action against non-compliant organisations even if their headquarters are not situated in that jurisdiction.

Why the GDPR Applies To Your Organisation

One big misconception surrounding the GDPR is that if your organisation isn’t in the EU the law doesn’t apply to you. This might as well be the case, but be mindful that if your organisation might interact with an EU resident and collect data during that interaction, then GDPR is something you need to be aware of.

Investment in compliance efforts can be costly and time-consuming for organisations. But it’s important to keep in mind that since privacy and security are closely related, the primary business advantage for comprehensive GDPR implementation is consumer trust. Risking non-compliance might lead to reputational and brand damage which occur with any data breach. You expose your organisation and it’s compliance flaws to public scrutiny and your efforts to secure a user’s personal data will always be questioned.

Now that you’re aware of the risks you might as well take the first steps in your compliance journey and what better way to start than with an all-in-one tool for GDPR compliance!

Whether you need an informational guide to GDPR specifics, a staff training solution or a full set of template documents that you can use as your own, GDPR Toolkit is the right choice for your business! 

2 thoughts on “One Year into GDPR, Many Organisations Are Still Not Compliant

Leave a Reply

Your email address will not be published.