GDPR One Year On… What Have We Learnt?

Reading Time: 2 minutes

It’s now one year on since the GDPR came in to effect – a regulation with an aim to standardise data protection laws across the EU, increase the privacy and protection of personal data and extend the rights of the data subject. So what has happened since GDPR go-live this past year, and what have we learnt?

According to IAPP research, since go-live, over 500,000 organisations have a registered Data Protection Officer in place – a new required position under the regulation for organisations meeting certain criteria that oversees compliance and data protection obligations.

The new regulation has prompted over 200,000 cases to have been created by data protection authorities and over 94,000 complaints received, ranging from right to erasure to unfair processing.

The GDPR overhauled and detailed new requirements for data breach notifications, which has seen a major increase in reported data breaches – estimated at over 64,000, and in some countries more than double the previous year’s amount.

The hottest topic related to GDPR was how infringements would equate to fines for organisations at fault – to date over €56,000,0000 fines have been issued as GDPR enforcement actions, however, the largest single fine was issued to Google and contributed to the majority of the global total at over €50m.

GDPR and the rest of the world

It should not to be forgotten that the GDPR is applicable not only to EU countries, but any country that holds EU citizen data and although only a small proportion of the total number, this past year has seen almost 300 cross-border cases raised.

Although described as an evolution rather than revolution, the GDPR has ushered in similar data protection regulation proposals across the globe. The California Consumer Privacy Act (CCPA) has been signed in to law with further deadlines to agree and adopt the legislation, although currently only at state level, it’s looking likely the U.S will adopt a GDPR style regulation nationally in the future.

Brazil, Latin America’s largest economy and its Lei Geral de Proteçao de Dados (LGPD) regulation has been modelled directly after the GDPR for 2020, and Australia have solidified data breach notification requirements since 2018 with the Australian Privacy Act amendment.

What have we learnt?

The data is enough to show a turn of the tide on the protection of personal data and enforcement for those who fall short, still – year one is a transition year and with that, we should expect a lot more movement in following years.

The positive note is that it’s not only organisations who are waking up to the need to protect personal data, but other countries now who are adopting similar style approaches for their own citizens personal data.

We have learnt that since the GDPR has been enforced, the majority of businesses have had an enormous amount of resource and investment required to offer the level of protection of personal data, which the average citizen may have been surprised hadn’t previously been in place.

The general consensus is that there is still a long way to go until a GDPR style approach to data protection is realised globally.

Data classification and GDPR compliance

If you want to learn more about how data classification supports GDPR compliance by visual labelling, enhanced workforce awareness of the value of the data used and metadata labels facilitating data security, data management and retention policies, then download our resource: EU GDPR – Protect Sensitive Personal Data On EU Citizens Fact Sheet or request a data classification demo.