Greetings! The General Data Protection Regulation (GDPR) has been in effect for roughly a year and a half now. When it was first introduced, in March 2018, I wrote a small blog highlighting a few details of the regulation, and praising it for it’s “drastic measures”. That blog was written with an aim to inform of some the the GDPR's features. In retrospect, and with regards to the way things are today, I see it as a tad bit naïve. But such is life, we grow and we learn.
Since then, there have been some major stories, as well as mixed feelings on how effective the regulation has been. In this article I will write briefly on some of these updates in regards to the GDPR in 2019.
Companies Caught in Violation.
Just ealier this week, The German data protection authority – Bundesbeauftragten für den Datenschutz und die Informationsfreiheit (BfDI) (A very beautiful German name I might add), charged two Internet Service Providers (ISP's) on the same day concluding that they had violated the GDPR.
One of the companies was Internet Service Provider (ISP) 1+1 (one of Germany’s largest internet providers). 1+1 was charged with violating Article 32 of the GDPR which states that a company is responsible to have adequate measures in place in regards to access to a customers’ data. The fine was issued after discovery that there wasn't sufficient authentication requirements being used at one of 1+1's call centers. Personal information was given after only confirming a name and date of birth. The BfDI said this practice failed to meet Article 32 of the GDPR. It should also be noted the fine is reflected of 1+1’s compliance into the investigation, and therefore was issued a “reduced” fine. Julia Zirfas, 1+1’s data protection officer stated that "The fine is absolutely disproportionate..". 1+1 is working to appeal the decision.
The second fine was issued to a smaller internet service provider Rapidata GmbH, for failing to appoint a data protection officer as required by the GDPR. The fine issued to them was 10,000 euros.
For a more detailed report please check out this article by award-winning journalist Mathew J. Schwartz.
For a comprehensive list of GDPR violations to date checkout https://www.enforcementtracker.com
Compliance is Still on the Lower End of the Spectrum.
While this demonstrates that the GDPR is a force to be reckoned with, a recent survey conducted by Talend showed that many companies are still struggling to be GDPR compliant. According to their press release which was made available at the beginning of December,
“ 58% of surveyed businesses worldwide failed to address requests made from individuals seeking to obtain a copy of their personal data as required by GDPR”
“70% of companies and organizations were unable to respond to a Data Subject Access Request in a timely manner.”
For a more complete summary of this report please check out this very well written article by Nicole Lindsey.
More Data Regulations To Follow In The Wake of GDPR.
Beginning in January 2020, the California Privacy Act (CCPA) will take effect. While the National Law Review called it a “US GDPR”, it also highlights it’s limitations that it is more for Californians as it is a state law, and it covers only “ larger companies”. Other countries to implement their own data protection regulations include Brazil, and Thailand.
While this certainly sounds like strides are being made, upon doing research on the current state of the GDPR I read this article by Stephanie Hare. In it, she claims that the GDPR is failing to adequately protect us. And to a large extent I agree with her. In her piece she asks:
“..for those of us living under the GDPR, what has really changed?”
Because she puts it so eloquently, here are her exact words on the subject:
“While it was an opportunity for a digital spring clean, informing people that their data is being collected is not the same as preventing it from being collected in the first place. That continues and is even increasing. The only difference is that now we are forced to participate in our own privacy violation in a grotesque game of “consent”.
Many times websites even fail to give an option to opt out of certain cookies, while offering only an explanation the type of information they collect on you. From personal experience I can even say certain companies still make it difficult for you to stop receiving marketing material.
However, I believe that as more time passes by, and as the scope of data is widening (AI) there will be more work and improvement being carried out in terms of data protection. It is an ever-evolving process both for customers and businesses alike. And although progress is slow, I still say it's better than no progress at all.
I hope the information in this article was useful in some way, shape or form.
Classmethod is an AWS Premier Consulting Partner dedicated to bringing quality data integration and cloud support to small and large businesses.
Classmethod Europe GmbH pledges to adhere to the regulation as we continue to serve Europe with leading AWS cloud solutions.