Remember last year when all those annoying emails from email lists of yore kept clogging up your inbox and they all had the same legalese? Well, it’s been one year since the flurry of GDPR-related activities worked everyone up into a tizzy, and data regulators across the EU have many field days levying fines on companies large (Google, British Airways) and small (random business in Vienna whose CCTV captured too much of the sidewalk).
From illegally turning on users’ microphones through an app to acquiring a competitor who had a data breach, businesses found themselves in a fine, fine world for not taking the right steps to securing their data.
Here’s a quick recap of what’s happened in a GDPR world in the past 12 months, and 12 learnings you can implement from GDPR’s first year.
What’s GDPR again?
It stands for General Data Protection Regulation, and it was created to give EU citizens more control over their personal data (as it should’ve been from the get go!).
Under GDPR, companies must ensure that personally identifiable info (PII) data is collected legally (read: with consent) and that the data is properly managed and safeguarded. Otherwise, companies will be hit with steep fines and negative PR (which probably costs more than the fines).
Has GDPR actually been enforced?
Did Tom Ford turn around the House of Gucci?
Companies ranging from Google, who was fined €50 million for collecting personal user data without consent (so much for “”Don’t Be Evil”), to a Spanish football league being hit with a €250,000 fine for using its app to illegally turn on users’ microphones to “catch illegal soccer streams” at various pubs, GDPR has been meting out punishments faster than a nun at Sunday school.
And for those with morbid curiosity, GDPR penalizes companies based on their annual revenue, with security and privacy violations warranting fines of up to 2% and 4% of the companies’ revenue, respectively.
So GDPR actually has teeth…my company should be okay, right?
Your company should be fine if you’ve implemented the proper controls and are transparent about how you document compliance.
Note that GDPR applies to you if you process the personal data of anyone living in the EU, regardless of where your company is located. And if you have partners and or customers in Europe, then you’ll need to think about compliance.
And speaking of compliance, here are 12 learnings from the past 12 months that GDPR has been in effect: