Unless you have been living under a rock, you are probably well versed on the highline items around GDPR. 2018 was the year that companies around the world were scrambling and talking about the new regulations that were being implemented by the European Union that would take data privacy globally, not just within the EU.
If you were living under a rock, GDPR is the General Data Protection Regulation that was updated and enacted into law in 2018. While there were privacy laws already in place within the EU, this update to the law not only protected the data of EU Citizens within the EU, but also globally around the world. This latter part of the law made it a worldwide phenomenon, as technically any company around the world that held information and data on an EU citizen would have to comply with the law.
Enforcement within the EU
Within the framework of the GDPR law, the EU stipulates that enforcement is to be handled by each member state, and those states must develop their own guidance around the law and supervise the application of the law. The law also requires that each EU member state must designate an independent, public authority to be responsible for monitoring the application of GDPR and addressing any non-compliance. For example, the Information Commissioner’s Office (ICO) handles GDPR compliance in the UK, and this is the same in all other EU member states.
Enforcement has started in earnest during the later part of 2018 and into 2019. During the summer of 2019, we learned about £300M in fines that were imposed against the Marriott hotel chain and British Airways. It showed the ICO in the UK is not going to be holding back from imposing fines, and companies that have locations within the EU should be mindful.
There is now also a GDPR tracker website that has been setup to track the number of fines across Europe. While we cannot guarantee this is accurate, it is a clear indication that authorities in Europe will be vigilant about enforcing the law and issuing fines. On a worldwide scale, it can be noted that Google was fined 50 million euros by Belgium, so impact is reaching outside the EU.
Enforcement outside the EU
While the guidance and setup within the EU is pretty clear, outside of the EU it starts to get a little fuzzy on who would be regulating international companies that do not adhere to GDPR. For larger organizations that have offices or headquarters within the EU, GDPR enforcement would be handled by the relevant authority where the offices are located. As the article listed above states, the fines that were imposed on the Marriott Hotel Group and British Airways is a clear message to large multinational organizations that they could be targeted for breaches.
For companies that do not have any locations within the EU, the message is not that clear. Who will be regulating them? What authority would any EU data protection authorities have to impose any fines, or have the appetite to look at companies abroad? These are questions that are still unanswered and only time will allow for them to be. There are indications that the EU is willing to work with countries that have equivalent data protection laws, but there is no framework in place at the moment.
Love it or hate it, GDPR is here to stay
It certainly was infamous last year, but the essence of GDPR is actually a good move by the EU to try and protect the data and privacy of their citizens. These are all things companies should be looking to do, so while the whirlwind of GDPR introduction was a little intense, the outcomes are very positive. Time will be the indicator of how it will be regulated around the world, but the EU has begun and continue to enforce regulations now.