Take a look at where GDPR stands as it reaches its fourth birthday, including enforcement and fine changes, current challenges, how COVID-19 affected it and more.
The EU's GDPR is one of the strictest data privacy laws in the world. Now entering its fourth year, enforcement of the regulation has evolved since it first went into effect in 2018.
GDPR was, in part, created to counterbalance the rapid expansion and innovation of giant tech companies. Such companies have revolutionized individuals' online presence -- and forever changed the face of online privacy. Many users are unaware of how their personal data is used and disseminated across platforms such as Facebook and Google. GDPR intends to clarify any gray area. For one, the regulation requires organizations to seek consent to save and use personal data, rather than implied consent.
Uptick in GDPR fines in 2021
In GDPR's first three years, only one major tech company was fined for noncompliance. The last six months, however, found two tech giants guilty of noncompliance -- with record-breaking multimillion dollar fines.
In July of this year, Amazon was hit with the largest GDPR fine to date -- $887 million, which also exceeds the amount of all previous GDPR fines combined.
In September, messaging service WhatsApp, owned by Meta Platforms, was fined $266 million. Google was found guilty of noncompliance in 2019 for allegations related to the company's ad personalization techniques. It was fined $57 million -- a record-breaking fine at the time but a fraction of Amazon's and WhatsApp's fines.
Large companies aren't the only ones breaking the law, though. Small to medium-sized enterprises -- those with more than 250 employees -- must also follow GDPR requirements.
While large organizations have faced higher fines, more small to medium-sized enterprises have been targeted with fines since the regulation went into effect as well.
What to expect in 2022?
The pandemic has brought up many questions surrounding data privacy and, in turn, GDPR.
Companies need to know how to deal with its employee vaccination data. How should companies retain it? How should they protect it? Should they require that information?This concern relates to GDPR but isn't specifically a GDPR issue.
It does, however, affect privacy professionals by raising questions about how to protect employees' personal data. The European Data Protection Board released a statement in March 2020 emphasizing that GDPR should not hinder measures to fight the pandemic, but even during these times, personal data protection must be kept a priority.
As new variants continue to spread throughout the world, organizations must continue to balance health priorities and data privacy in 2022 and the foreseeable future.
Developing technologies will also affect GDPR compliance.
Privacy risks posed by AI, machine learning and facial recognition and profiling will be top of mind for EU regulators in 2022.
While 2021 was relatively slow for new data privacy regulations, it was quite the opposite for enforcement -- with regulators enforcing the law and imposing fines at higher rates than ever before.
Going forward, EU data privacy regulations may undergo another change depending on the outcome of the ePrivacy Regulation proposal, which would create additional challenges for privacy teams.
Are you having doubts about the GDPR compliance of your company or e-business? Contact Ascentrix Consulting for more information.