Six Years of GDPR - Can you believe it has been that long?

Reviewing the impact of GDPR since its implementation and how we could learn from it for future regulations

A couple of weeks ago, Andrey Prozorov shared a report by the Centre for Information Policy Leadership about the GDPR’s First Six Years. Yes, it has been that long since this EU regulation entered into force.

The report covers the positive impacts and the challenges of this regulation, as well as the still unfulfilled promises. Moreover, it includes recommendations on how to continue improving the directive’s implementation to fulfil its original purpose.

Considering there are several new regulations entering into effect in the EU -like NIS2, DORA, CRA, etc - soon, I believe there are lessons that can be learnt from how GDPR fared since its launch and the impact it had.

What is GDPR and what is its purpose?

The General Data Protection Regulation (GDPR) was implemented on May 25, 2018, by the European Union. Its primary purpose was to harmonize data privacy laws across Europe, protect EU citizens' data privacy, and reshape the way organizations approach data privacy.

According to the Centre for Information Policy Leadership (CIPL), the aim of GDPR was not only to protect personal data but also to modernize and unify data protection laws across Europe, promoting trust in the digital economy and enhancing the EU's digital single market.

The GDPR’s original ambition was to be principle-based, risk-based, technology-neutral, and future-proof, to create a “coherent data protection framework” to ensure “the trust that will allow the digital economy to develop across the internal market” - CIPL

Multiple reasons motivated the implementation of this directive, as the amount of personal data being collected increased with the rise of the adoption of digital technologies. That personal data was not only processed locally within countries, but with the growing adoption of cloud-based systems, it was also being transferred in and out the EU territory without much control.

Notorious data breaches and growing concerns about privacy gave GDPR the right context to become a landmark regulation in the region, focused on protecting individuals’ rights and improving data security measures.

GDPR regulates several key areas of data protection:

1. Consent: Requires clear and explicit consent from individuals for data processing.

2. Data Subject Rights: Enhances rights such as access, rectification, erasure, and data portability.

3. Data Protection by Design and by Default: Mandates that data protection measures be integrated into business processes from the outset.

4. Breach Notification: Requires organizations to report data breaches within 72 hours.

5. Accountability and Governance: Obligates organizations to demonstrate compliance through documentation and impact assessments.

6. International Data Transfers: Sets rules for transferring personal data outside the EU to ensure equivalent levels of protection.

Shortly after GDPR was implemented in the European Union, many other countries followed suit, designing and implementing their own data protection and privacy regulations.

My personal experience with GDPR

While GDPR does not explicitly mandate encryption, it strongly recommends it as a measure to protect personal data. Encryption is highlighted in several articles (Recital 83, Article 6(4e), Article 32, and Article 34) as a method to enhance data security and mitigate risks. By encrypting data, organizations can reduce the impact of breaches, as encrypted data is considered unreadable and unusable to unauthorized parties.

Before 2018, it was common to read that laptops containing sensitive information about customers were lost or stolen, and that their data wasn’t encrypted. However, until GDPR went into effect, companies weren’t considering data encryption as a priority.

When I was at ESET, we realized this presented the perfect opportunity to promote our recently launched Endpoint Encryption product.

The campaign we ran in the European Union was a huge success by all measures, up-selling many existing customers on our encryption solution, and even acquiring net new ones that were using other endpoint products.

Regulation is a powerful driver for cybersecurity spending and companies understood that the implementation of encryption software would reduce their exposure to data loss and the potential subsequent fines.

The Economic Impact of GDPR

The economic impact of GDPR has been both positive and negative. My personal experience above is a glimpse into how compliance costs have been significant, especially for small and medium-sized enterprises (SMEs).

According to a CNIL report, the initial compliance cost for EU companies was estimated at €3 million per company.

An interesting side-effect of the new regulation, according to a study by the National Bureau of Economic Research (NBER), is that GDPR led to a 12.5% reduction in venture funding for EU tech startups, highlighting the economic challenges.

However, many organizations report benefits such as enhanced data management, increased consumer trust, and competitive advantages, and Cisco's 2020 Data Privacy Benchmark Study reported that companies with robust privacy practices saw a return on investment of 2.7 times their spending on privacy initiatives.

Understanding the economic impact of GDPR is a challenging task, and it all depends on the point of view. There’s not one study that shows the net impact of the regulation, and we can only see that what were benefits for some, weren’t for others.

Fines Imposed on EU vs. Non-EU Companies

A new regulation is ineffective without enforcement, and GDPR strengthened the figure of Data Protection Authorities. There’s one of this entities per each EU Member State, which are responsible for handling the complaints from consumers and businesses regarding data protection and privacy.

GDPR enabled the imposition of fines against infractions, and we can see that the financial sector, telecommunications, and public services have faced the most.

According to the CMS GDPR Enforcement Tracker, the "Media, Telecoms, and Broadcasting" sector has received the highest number of fines, reflecting increased scrutiny and a large number of relevant companies in this sector.

Spain has been very active in fines to telecommunications providers, for instance, which one in particular receiving 60 since 2018.

It should then come to no surprise that the southern european country has the highest overall number of fines, having issued a total of 802 fines. Italy, Romania, and Germany also show high fine activity, with Italy imposing 245 fines, Romania 126, and Germany 122.

During the buildup towards the launch of GDPR, there was a perception that the amount of fines would be endless, but there have been just shy of 2,000 fines up to March 1st, 2024, amounting to EUR 4.48 billion, according to the CMS Enforcement Tracker database, there have been more than 2,000 fines up to March 1st, 2024, amounting to EUR 4.48 billion.

This number has been growing steadily in the most recent years, as there weren’t that many fines during the first year of GDPR.

The largest penalty has been paid by Meta, Facebook parent’s company, in 2023. The US tech giant was imposed a historic fine of EUR 1.2 billion for transferring personal data of European users to the United States without adequate data protection.

When we review the biggest fines, we can see that the top 10 have been enforced on companies with headquarters outside of the European Union, like the above Meta, as well as Amazon, TikTok and Google.

This is the consequence of the differences in data protection practices between EU and non-EU companies, and how the majority of the most used global services aren’t EU-based.

GDPR fines have been imposed on both EU and non-EU companies, with significant penalties levied against global tech giants like Google and Facebook. Non-EU companies operating within the EU are subject to GDPR, and enforcement actions demonstrate that DPAs are willing to hold international firms accountable to the same standards as EU-based companies. For instance, Meta (Facebook) faced a record fine of €1.2 billion from the Irish Data Protection Commission for unlawful data transfers to the U.S.

While comprehensive statistics on the exact number of fines against EU versus non-EU companies are limited, the significant fines against major non-EU companies like Meta, Amazon, and Google suggest that non-EU firms are highly impacted by GDPR enforcement. The overall economic impact includes both direct fines and the indirect costs of compliance, which can affect sales and profits.

Successes and Areas for Improvement

If there’s something that GDPR has achieved is the increase in data privacy awareness across organizations and individuals, in EU and beyond.

There is clearly a world before and after the regulation, and there is a perception that individuals now understand more the implications of how their data is handled and that they can have greater control over it.

Another benefit is how data management practices has clearly improved, with companies enhancing their overall approach and security, as highlighted above with the example of encryption.

As it is usual with this type of regulations, there are still a lot of areas for improvement, according to the different experts. Inconsistent interpretations and applications of GDPR by different Member States create uncertainties, and the practical guidance that DPAs provide is not inline with the modern digital challenges.

There is still a lot of uncertainty about how data transfer in and out of the EU should be handled, which creates administrative burden, confusion and affects innovation.

Regulations are double-edged swords, unfortunately. When GDPR came into effect, it was clear that data protection needed to be enhanced, and while there have been clear benefits, we still see increases in security breaches that affect individuals and private organizations.

The EU now has a trove of regulations that are at different stages of implementation: NIS2, Digital Services Act, CRA, DORA, and even the AI Act, and lessons should be drawn from the GDPR implementation to ensure these new rules don’t have negative effects on innovation.

The AI Act is a good example: Facebook and Apple are going to be limiting their AI functionalities within the EU due to the uncertainty of how this regulation will be applied. Similar concerns arise with other new directives and acts.

In my opinion, GDPR has brought more benefits than drawbacks, shaping the data protection landscape, addressing ongoing issues and setting new standards. It did help to build trust on those that followed the recommendations to increase data protection and mitigate risks.

It took six years to get to this stage with GDPR, where there’s still much work to do. Let’s hope new regulations learn from its implementation, and we can see more positives coming from them and avoid the pitfalls.