Commentary

The GDPR Saga: Most Of The Fines Have Been Small In First Year

Only a few days into its second year, GDPR is continuing to produce headlines — and some cash.

For starters, 9to5 Mac reports that fines totaled €56 million — €50 million of it being a single fine against Google. The penalty was imposed by the French Data Protection Commission for Google’s alleged lack of transparency about its use of data to serve personalized advertising.

Most of the remainder was made up of small fines, many in the low thousands. But there were exceptions, such as the EUR 600,000 hit imposed on Uber by the Netherlands for failure to report data breaches within the required 72 hours.  

Overall, there were 200,000 investigations, and 64,000 were upheld, 9to5 Mac says.

Meanwhile, the Nieman Lab adds that over a dozen EU countries have imposed fines, but most were small. Some countries have faced delays as they sought to embed GDPR into their own laws, the report continues, sourcing the law firm Ius Laboris

advertisement

advertisement

For end users, GDPR has “mostly seemed to mean a lot more ‘I agree’ buttons to click and ‘Yes, you can really send me emails, that’s literally why I’m signing up for this email newsletter in the first place’ checkboxes.”

Fines have been levied, but not on publishers, the article states. 

Then there is the announcement by Shred-it that 72% of the UK’s SMEs claim to have a positive understanding of GDPR. However, 60% say the law has had either a slight impact on their business — or none at all. 

At the same time, 32% report GDPR has had a ‘great’ or ‘considerable’ impact on them, showing that they are probably closer to being in compliance. 

Of the companies polled, nine out of 10 rate themselves as a four or five on a scale of one to five when it comes to GDPR readiness.

They have taken such actions as reviewing their policies (45%) and emailing customers (35%). 

However, Shred-It says those actions are on the lighter “front end” of GDPR compliance. 

What are the challenges? Data breaches and disclosure requirements, especially for 28% of the healthcare respondents and 15% of those in the real estate sector.

There are two clear general findings from the survey, according Ian Osborne, vice president UK & Ireland for Shred-it.

One is that “the majority of SMEs are genuinely engaged with the process of compliance; within that group there are many who believe they are already compliant but may have missed some key more complex parts of the GDPR.”

He adds: “It is the minority in that group who have recognized its greater challenges and are wrestling with its more complex areas.”

The other finding is that “some SMEs recognize they are not ready, seem unwilling to address the issue of GDPR compliance and are reluctant to seek support in any form to help them,” Osborne continues.

He predicts that when “the relevant authority’s fines become more common headlines across the UK, we expect that views may change about what compliance really means.”

Next story loading loading..