Listen to: "GDPR One Year Later: What Impact Has It Made?"
Every affected business leader around the world was thrilled to finally secure full General Data Protection Regulation (GDPR) compliance by the May 25, 2018 enforcement deadline. For months—in some cases years—organizations worked diligently to make sure they covered all the bases to protect EU consumers’ data, as well as their own brand reputation and business interests.
Once the deadline came and went, so did the massive cascade of stories about the monumental and sweeping regulation. One year later, many people may find themselves wondering how companies around the globe fared and what GDPR inspired in other continents, countries, states and more.
Now is an excellent time to take a look at GDPR at the one-year mark, so keep reading.
What Impact Has GDPR Made on Privacy?
Several aspects of GDPR have made a significant impact on privacy concerns for EU residents, as well as for other consumers around the world, thanks to closer looks at their own data risks and options. As cybercriminals continue to target consumer data via breaches and other infiltrations, and as the economy continues to globalize, the goal to protect consumer data privacy has become a global concern, so nations and organizations everywhere are searching for meaningful solutions.
Let’s take a look at which aspects of GDPR have made an impact in various capacities.
The California Consumer Privacy Act
The United States has been carefully monitoring GDPR from the time it passed by the European Parliament and forward. One of the key influences GDPR has made has been in the state of California where the California Consumer Privacy Act (CCPA) passed in June 2018. The CCPA will go into effect January 1, 2020, with several other U.S. states set to follow suit the following year. This act makes national organizations responsible for the protection of California residents’ personal data. Subsequent laws passed in other states are set to do the same.
The CCPA offers California residents the following rights that are at least somewhat inspired by GDPR:
- The right to demand more information about what a company collects and stores about them.
- The right to know of any third parties with whom the business has shared their personal information.
- The right to sue a business if they believe that privacy guidelines have been violated, with or without a data breach.
Additional States Set to Enact Privacy Protections Modeled After GDPR
California is far from the only state introducing and passing GDPR-inspired legislation to protect their residents’ consumer information. Similar to GDPR and CCPA, these state laws are intended to offer consumers greater transparency and some measure of control over their personal data. Vermont is second only to California in terms of going above and beyond breach notification. The Vermont law also requires businesses to make significant changes in their data processing operations.
Here are a few additional states that are making a greater effort to protect their citizens’ data privacy in the wake of GDPR’s enforcement:
- Alabama and South Dakota have each passed their first data breach notification law.
- Arizona has updated its breach notification law, expanding the definition of personal information and tightening notification timelines.
- Colorado has strengthened its consumer protections, requiring formal information security policies and increased oversight of third parties.
- Iowa has passed legislation to regulate mobile apps and online services for students.
- Louisiana and Oregon have each amended their data breach laws.
- Nebraska has enacted a requirement to maintain reasonable security practices and procedures, making those obligations applicable to third parties as well.
- South Carolina has imposed amplified breach notification and security requirements for the insurance industry.
- Vermont has passed legislation that regulates data brokers.
- Virginia has amended its breach notification law to also cover income tax.
The Fines and Penalties Continue to Add Up
In the EU, regulators have already brought in nearly €65 million in fines in more than 200,000 cases across 31 countries.
Several countries have issued no GDPR fines, including Belgium, Croatia, Denmark, Finland, Ireland, Italy, Slovenia and Spain. The reasoning for zero fines being assessed in these countries may vary. Some nations have not yet fully adopted and absorbed GDPR into their own respective national laws, leaving a temporary lag in enforcement while other nations simply take a lighter approach to enforcement overall.
GDPR Has Influenced Some of the Biggest Tech Names to Make Privacy Concerns a Top Priority
Businesses are taking notice of the value of GDPR’s focus on consumer data privacy and mirroring those efforts at the corporate level. Apple, Inc. Is one notable company that is working to position itself as the security and privacy company. The issue recently took the limelight away from the iPhone, Apple’s flagship offering for several years running.
Continuous Compliance Can Be a Tricky Point for Businesses
The ongoing costs of GDPR compliance can be expensive, in terms of financial and human resources. Many companies simply do the minimum since most companies spent so much on initial compliance. Of course, this tact leaves these businesses open to the stiff fines and penalties. A lackadaisical approach can result in a data breach or a simple negative compliance review that could trigger devastating fines and penalties.
The Overall GDPR Effect
Basically, GDPR has effected change in terms of significant improvements regarding data governance, monitoring and awareness, and strategic decision-making regarding the use of consumer data.
Further, the risk of incurring and paying out hefty fines has made companies take privacy and security more proactively. Nearly half the companies that fall under the jurisdiction of GDPR are still working toward full compliance, meaning that the transition will probably go on for a few more years. The best takeaway, however, is that companies everywhere are taking a closer look at their own approach to consumer data privacy and security. Additionally, EU companies are expressing increased confidence that they can address the GDPR’s data breach notifications.
Related article: Understanding the EU Cybersecurity Act and Its Effect on Businesses.
Do Any of These GDPR-Inspired Changes Apply to Your Organization?
Do any of these changes sound familiar, or have some of them had some direct impact on your own business? GDPR is changing the face of data privacy, and it is crucial to keep up with it all to protect your own consumers’ interests, along with your organization.
Our team at I.S. Partners, LLC., can help you determine whether there have been updates to laws in your own state to protect your immediate consumers. We can also help you determine what you need to do to become GDPR compliant if that is a project you need to take on.
Call us at 215-675-1400, or request a quote today!