The GDPR officially became a requirement on May 25, 2018, which means that 5 years of this data privacy law have passed. While some saw it coming from afar, others had to make many adjustments over the years. Where is this regulation now?
The introduction of the GDPR (General Data Protection Regulation) on May 25, 2018 marked the beginning of a new era in privacy and data protection legislationopening the door to a growing global regulatory landscape.
This applied to all companies operating in the European Union, as well as companies outside but processing data of EU citizens. The goal with which it was born is to protect the fundamental rights and freedoms of individuals regarding the processing of your personal data.
“The GDPR establishes clear and strict requirements for the collection, storage, processing and transfer of personal data, and also gives individuals the right to know and control the use of their personal data”explains Félix Llorente García, SAP project manager at Integra Strategy and Technology.
Among the improvements brought about by the introduction of the GDPR are:
- Greater transparency and control for users: The GDPR establishes that companies must provide clear and understandable information about how users’ personal data is collected, used and protected. It also grants the latter the right to request that their personal data be deleted and to receive a copy of it.
- Stricter obligations for companies: There are strict requirements for companies that process personal data, including the need to obtain the explicit consent of users before collecting and processing their personal data, and to notify authorities and users in case of a security breach.
- Stronger Penalties: Penalties for companies that break the law, including fines of up to 4% of annual global turnover.
“Many countries and regions have already implemented laws similar to the GDPR, such as the California Consumer Privacy Act in the United States, and this trend is expected to continue as businesses and governments around the world realize the importance of protecting users’ personal data”adds Felix Llorente.
What has been learned in the last 5 years and what is on the horizon? More laws are coming
Most organizations have been able to err on the side of caution to avoid the aforementioned consequences: fines of up to 4% of global annual turnover, reputational damage, and lost revenue. However, the big tech companies have taken the brunt of it.
In Europe a total of more than €1,000,000,000 in fines have been doled out since the GDPR became a requirement —This past 2022, the EU sanctioned European companies with fines that accumulate a total of 2,920 million euros for breaching the GDPR, according to AtlasVPN—. The figure marks an increase of 168% compared to 2021.
“This increase demonstrates the growing confidence and willingness of supervisory authorities to impose high fines for breaches of the GDPR, particularly against large technology providers”the report states.
As he explains Business Insidermost of the large technology companies maintain their headquarters in Ireland thanks to its advantageous tax system, which has caused the Data Protection Commission of that country to face an endless number of cases that have ended up generating a bottleneck.
The 4 largest fines in recent years in Europe have been:
- In 2021, Amazon received a heavy fine of 746 million euros for violating the right to privacy of its customers.
- Instagram was fined in 2022 with a total of 406 million euros for its management of minors’ data
- Meta paid a total of 390 million euros in 2022 for forcing users to accept personalized ads
- Ireland also hit WhatsApp hard with a massive €225 million fine in 2021, as the messaging app had failed to adequately explain its data processing practices in its privacy notice.
Mention that EU data and digital strategy stays on track with new projects at the border —some of which are already underway—: the Artificial Intelligence Law, the Data Law, the Digital Markets Law or the Digital Services Law. At the same time, there is a greater desire to improve the regulation of cybersecurity.
“As more laws regulate the use of personal and non-personal data, as technology continues to evolve, and as data is an increasingly valuable resource, organizations are thinking holistically about their programs”adds Felix Llorente.
Regarding what is expected for the future regarding the GDPR, it is true to mention that it was implemented in 2018 and since then new technologies and ways of processing data have emerged, such as artificial intelligence, automation and machine learning. However, this is a very complete and flexible data protection law that can be adapted to these new technologies.
In fact, the GDPR includes a provision that establishes that the European Commission givesmust evaluate the law every 4 years and present proposals for its improvement if necessary. “It is expected to continue to be a model for the protection of personal data throughout the world,” the expert ends.