GDPR: A Year Later
Leading into last year, the European Union's General Data Protection Regulation (GDPR) was being hailed as the most important legislation of the past 20 years. Companies worldwide went into panic mode, terrified that the slightest infraction could result in hefty fines and serious damage to brand reputation.
In the year since the GDPR took effect, though, so far only one major fine has been handed down. That action came in January when France's data protection regulator, the National Commission on Informatics and Liberty (CNIL), fined Google nearly $57 million for processing personal data for advertising purposes without obtaining the required consumer permissions. According to the CNIL filing, Google also failed to adequately inform consumers about how their data would be used, nor did it provide enough information about its data consent policies.
Google was not the first company to be hit with sanctions under the GDPR. Other notable actions have involved a hospital network in Portugal, a betting site in Austria, and a German social media and chat network, but those fines only amounted to a few thousand dollars apiece.
To show just how little enforcement has been done, since the GDPR went into effect in May 2018, regulators across all 28 European Union member nations received hundreds of thousands of complaints and data breach notifications; as of February, they issued fewer than 100 fines.
In Germany, for example, data protection authorities issued just 41 fines for violations of the GDPR through mid-January, according to published reports. The largest single fine amounted to about $91,000.
In general, fines across Europe have been small and infrequent. And even Google's fine could have been much higher. Under the GDPR, companies can be fined a maximum of 4 percent of their annual global turnover. Google made an estimated $110 billion last year. Nonetheless, Google is appealing the fine.
This lack of enforcement muscle has prompted most CRM insiders, including executives at companies with huge stakes in the marketing and data spaces, to give the legislation a less-than stellar grade at the one-year mark.
"So far we're not seeing the impact that we were expecting," says Jack Carvel, general counsel at Qubit, a marketing personalization platform provider based in England. "There was a lot of talk about big fines on the way, and so far, there haven't been many."
Carvel was also critical of the GDPR and European regulators for failing to go after the third-party firms that trade in ill-gotten and often inaccurate consumer data.
"There are still so many big companies that are trading bad third-party data," he says. "We expected the GDPR regulators to go after these peddlers of dirty data, and they really haven't.
"It's so easy for bad actors to still play in the space," Carvel continues, "and I'm not sure that GDPR can address them all."
COMPLIANCE CHALLENGES LOOM
While CRM and marketing technology vendors worldwide were in a mad dash to ensure their products met the GDPR’s standards, marketers in general seemed to approach the GDPR deadline with less urgency.
The GDPR requires companies doing business in EU member countries to get consumers' consent via an explicit opt-in process before collecting and sharing information about them; to provide a way for consumers to correct, update, and delete the data that companies hold about them; to fully disclose what information is being collected and how it will be used; and to properly notify all parties involved when there is a data breach. To date, many marketers are still not where they need to be when it comes to meeting those guidelines.
Peter Gillett, CEO of Zuant, a lead capture technology provider based in England, says the GDPR is still "way off" in achieving its stated goals. "There's a ton of work to do by the majority of organizations" to get into compliance with GDPR, he says.
Matthew Vernhout, director of privacy and industry relations at 250ok, an email analytics and deliverability platform provider based in Indianapolis, agrees. Businesses everywhere, he says, "are trying their best to be compliant. Most businesses are certainly pushing to improve their processes by updating older software solutions and processes where parts of their responsibilities are clear, and others are still in a murky world of gray and uncertainty."
The statistics bear this out. In a recent survey from the International Association of Privacy Professionals, less than half of respondents said they were fully compliant with the GDPR, and nearly a fifth said they believed full compliance with the GDPR would be impossible.