Measuring the impact of EU GDPR two years on

May 25 2020 marked the second Anniversary of the implementation of the EU General Data Protection Regulation, (EU GDPR).

The ground- breaking legislation that changed the landscape of data protection throughout Europe but also has a potential global reach.

The primary objective of the legislation is to harmonise data protection throughout Europe and to give European citizens ownership and control of their personal information.

EU GDPR introduced many onerous and mandatory policies and procedures relating to the gathering and storing of personal information.

These rules apply to all businesses and organisations regardless of size who collect and process personal data, accountability has become the buzzword in data protection and it is the core legal principle which underpins the legislation. Businesses and Organisations have been forced to change their mindset as to how they process personal information and to accept responsibility when they get things wrong.

Personal information is one of the most valuable assets that a business will be entrusted with and failure to respect and protect this data from exploitation is costly. Unwelcome attention of the Regulator which will likely prompt an investigation followed by either a strict sanction or significant financial fine, media interest, and reputational damage.

It has been an interesting two years since EU GDPR came into force. The legislation has certainly raised the focus of personal privacy and has brought the GDPR conversation to many board room discussion tables. How GDPR has been implemented differs greatly from business to business, the “journey” has been unique for each business and organization. some have embraced the project with enthusiasm and others have remained complacent and appear to welcome the risk of incurring significant fines and sanctions.

Privacy awareness has increased significantly since 25th May 2018 consumers, employees, medical patients, club members and” all others” have become very aware of their privacy rights.

EU GDPR very much favours “the individual.” This is evidenced by the seismic increase in complaints received by Data Protection Regulators throughout Europe many of which relate to the misuse of personal information.

European Regulators have been relatively active, some more than others, over 1,300 fines have been imposed, the cumulative total amounting to €450m.

Interestingly Google was one of the first businesses to incur a fine based on annual turnover resulting in a fine of €50,000,000 in January 2019. Following an investigation into a breach of security by British Airways which resulted in 500,000 credit card records being compromised, the UK Regulator announced its intention to fine the business £183.4m in July 2019. The fine represents 1.5% of the airline’s worldwide annual turnover, the fine is currently under appeal.

On 22nd May 2020, just days before the 2nd anniversary of GDPR the Irish Regulator issued the first GDPR fine to Tusla Child and Family Agency for €75,000. The fine relates to three separate data beach incidents with two further security breaches under investigation

Privacy has been hugely impacted by the Covid 19 Pandemic. There has been an explosion of fake websites, professing to sell PPE equipment and cyber- crime has increased significantly.

The introduction of track and trace technologies pose huge issues from a privacy perspective, will the individual truly know where their data is and who has access to this information? The topic of track and track Apps and similar technology is very much an ongoing privacy debate globally.

Implementation of the EU GDPR has certainly made an impact to the business world with data protection becoming very real and a recognition that getting it wrong will cost.

The impact to the individual has demonstrated that people will not tolerate misuse of personal information and a growing awareness that GDPR protects their right to privacy. EU GDPR is here to stay, let us await the privacy issues that unfold within the coming months

Clare is a certified Data Protection Consultant PCdp” and founder of MonClare Data Protection Consultancy based in Co Louth.

For more information: :www.monclaredataprotection.com. Email:info@monclaredataprotect .com. T:087 461601