People in a conference hall with the letters "GDPR" on a projector screen.
PHOTO: Cory Doctorow

The General Data Protection Regulation (GDPR) has been in effect for just over one year now. The European Union’s privacy law put new regulations on data processors and data controllers to manage and protect the privacy of citizens who share data with brands and digital platforms.

What’s happened since the law went into effect? Do citizens feel better about data protection? Unfortunately, not much and no. About 45% of EU citizens say they are very worried about their online privacy, and 51% say they are very worried about their online security, according to a SurveyMonkey survey taken earlier this month.

“While many companies have worked hard to comply with GDPR, the complexity of the regulation may not translate into tangible improvements for customers or staff,” said Alastair Pooley, CIO at Snow Software. “After all the effort and investment to achieve or maintain GDPR compliance, will there be a strong enough data protection ecosystem to withstand future data challenges or are we to expect sweeping regulations to be implemented more regularly, in an effort to keep pace with how consumers use data? One year on from the GDPR deadline it’s still too early to tell.”

Pooley and others focused on GDPR shared some takeaways from the first year.

Still Waiting on Enforcement Action

The first big takeaway from a year of GDPR? Major enforcement hasn't really kicked in. Regulators have yet to slap major fines for GDPR violations outside of France’s $56.5 million charge against Google for violating GDPR in the areas of (1) obligations of transparency and information, and (2) having a legal basis for ads personalization processing. 

In fact, that fine represents a bulk of the enforcement action to date. According to a report from the European Data Protection Board, regulators in 11 European countries have issued around $63 million in fines related to GDPR violations (pdf). That makes France’s slap on Google about 90% of the GDPR enforcement cut. The European Data Protection Board also found there have been 206,326 national cases regarding potential GDPR violations reported to EU authorities. 

But don't get too comfortable. While regulators are not issuing fines every day, at least one report says EU officials will be announcing GDPR-related enforcement actions in the coming months.  

Related Article: Happy Anniversary GDPR — What Should Organizations Do Now?

US Compliance Slow to Start

Has the US caught up with the EU? Despite all the hype around GDPR and the awareness it has sparked across the globe, the progress toward compliance in the US has been surprisingly slow, according to Matt Hayes, VP of SAP business for Attunity.

“A majority of businesses are still interpreting the guidelines,” Hayes said. “How it plays into state-led GDPR regulations and what compliance means to them. The lack of true guidance around the regulations plays a large role in this lack of implementation, as companies are still struggling to understand how to interpret these for their unique situations.” Hayes cited a “collective confusion around compliance” surrounding GDPR, which he did not expect. 

“On another note,” he added, “the lack of compliance can also be attributed to the minimal regulatory enforcement to date. A year has passed since GDPR has come into full effect, and it’s truly surprising that no real consequences have surfaced despite the multitude of high-profile privacy breaches.”

Related Article: What If You Just Ignored GDPR?

Is the US Next for GDPR-Like Regulations?

Large US tech firms aren’t exactly being quiet about privacy, however, according to Cedric Savarese, founder and CEO of FormAssembly. Google CEO Sundar Pichai wrote in a column in the New York Times, “We think the United States would benefit from adopting its own comprehensive privacy legislation and have urged Congress to pass a federal law.” In a Washington Post column, Facebook CEO Mark Zuckerberg echoed a similar sentiment: “I believe it would be good for the internet if more countries adopted regulation such as GDPR as a common framework.” (We should note Zuckerberg’s on an obvious PR tour in light of Facebook’s privacy woes). 

And of course there’s California’s own little GDPR in the form of the California Consumer Privacy Act (CCPA). “GDPR has already influenced a global wave of privacy updates and protocols, e.g. the [CCPA],” Hayes said. “And it’s clear that this is only the beginning with many more expected regulations to surface over the next couple years.”

Related Article: What Is the California Consumer Privacy Act of 2018 and How Does It Affect Marketers?

Applying GDPR Work to a Diverse Set of Data Repositories

Kristina Bergman, founder and CEO of Integris, said one big lesson her company has learned from customers is being able to avoid doing the same work twice. “Many companies started preparing for GDPR by hiring lawyers and consultants to do impact assessments, map out workflows, manually survey data sets and introduce internal guidelines,” Bergman said. “This documentation is certainly important. But operationalizing GDPR actually requires applying this work to a diverse set of data repositories, in addition to leveraging existing IT security tools and other IT systems.”

Getting the CTO, CISO, data governance team and chief privacy officer together to do it right the first time is critical, she added. Establish a team, define responsibilities and get the lawyers and technologists on the same page.

Data Is Being Treated With Respect

Because of GDPR, personal data is no longer seen without emotion, according to Matthias Maier, EMEA security evangelist at Splunk. “A clear connection has been made between people, their personal data and the value it holds,” Maier said. “Data is now being treated with the respect it deserves, and employees and organizations are viewing it as something that needs to be handled responsibly. Organizations have been forced to value personal data and treat it as something they have borrowed and are custodians of rather than owners."

Related Article: GDPR Is Tough and Set to Get Even Tougher

It's Just the Tip of the Privacy Protection Iceberg

GDPR is the most impactful change in privacy protection and data security in decades, and pretty much since the internet became a commodity, according to Sven Dummer, senior head of product for Akamai. “And I think we have only seen the tip of the iceberg,” he said.

But it's a good things because it's stimulated companies to take privacy protection seriously. In addition to the more than 200,000 cases for potential GDPR violations and privacy complaints reported to EU officials since GDPR went into effect, more than 375,000 companies have registered a data protection officer, according to a report from the International Association of Privacy Professionals (IPAA). That is a role required, defined and protected by GDPR to ensure compliance and proper handling of personal data, Dummer said.

And that’s good news, considering consumers are getting smarter about their privacy rights, according to Jean-Michel Franco, senior director of product marketing at Talend. “The most important thing that happened is media coverage and its impact on the consumers: the general public is becoming much more educated and aware about the importance of protecting their data privacy,” Franco said. “More and more education is being brought to those who haven’t traditionally thought of data privacy, and it’s a growing trend that people realize their data is valuable and needs to be protected. They are welcoming their new rights for data privacy and are keen to exercise them.”