The General Data Protection Regulation (GDPR) passed in May 2018 in an attempt to protect citizens from data breaches due to either negligence or bad actors. The European regulation is one of many that are trying to make digital environments more secure for consumers: CCPA in California, LGPD in Brazil, PIPL in China, PIPEDA in Canada.
GDPR is a response to growing public concern in Europe over data privacy. The European Union has used the regulation to safeguard data protections in the EU and European Economic Areas with strict enforcement of the rules, investigatory powers and substantial fines for non-compliance or in the instance of data breaches.
GDPR gives consumers data protections including:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling
Who Needs To Care About GDPR Compliance
It goes without saying that if you are a European company, or a company that does any business in Europe, you need to be aware of the GDPR requirements.
Businesses in the United States should also pay attention to GDPR because, although the regulation is European specific, it affects businesses outside of the EU and EEA that also handle the data of European consumers. The global economy is not isolated and there is a lot of spillover; you should check the vendors you work with to make sure that they meet compliance requirements to avoid any liability.
If you are an ecommerce company, you as the merchant are the data controller responsible for your consumers’ data. Picking the right partners to work with will be a part of how you achieve complete compliance. For example, Shopify has plenty of GDPR related resources to help you understand your obligations and to demonstrate their own compliance.
US consumers should also have an interest in GDPR as it might benefit them without them even knowing. GDPR guarantees protections not just for European citizens but also any consumers whose data is trafficked in Europe, such as those who visit for vacation or business. It should also serve as a reminder of what kind of data is and isn’t protected in the United States.
Consumer Attitudes Towards Data Protection
The RSA Data Privacy & Security Report has surveyed more than 7,500 consumers across France, Germany, Italy, the UK and the US about “the impact privacy, data and regulations have on their relationships with businesses.”
It showed a distrust of online marketers and a fear of hackers as “More than 40% of respondents admitted to falsifying personal information and data when signing up for products and services online” in order to avoid being marketed to or losing sensitive data.
80% of respondents listed financial and banking information as a concern for having data exposed in a data breach, as well as being concerned about their passwords (76%) and identity information like passports and driving licenses (72%).
Other interesting demographics included that 51% of German respondents are protective over their genetic data, and 51% of younger millennials (ages 18-24) are concerned about personal information being used for blackmail.
There is an imperative to build an online space that consumers can have trust in, but there is also an incentive for businesses to improve their data security practices: 82% of UK respondents claimed they would boycott a company that continually demonstrated they had no regard for protecting customer data.
Though the threat of boycott may not be enough of an incentive for companies to self-regulate, the European nations have developed a substantial and progressive regulatory framework that forces companies to take the issue of data security seriously, and they have not been afraid of levying huge fines to demonstrate the seriousness of the issue.
What Kind of Personal Data Is Protected by GDPR
As part of GDPR’s broad compliance regulations, companies must safeguard consumer data including:
- Personally identifiable information (PII), such as name, address and ID numbers.
- Web data, such as IP addresses, cookie data and RFID tags.
- Health and genetic data.
- Political opinions.
- Sexual orientation.
The Benefits of GDPR
GDPR is thorough and progressive. The high fines imposed might have annoyed Google, but they are a means to an end – an end that is a safer, more secure digital environment that protects consumers and holds companies accountable for designing better systems. Apple CEO Tim Cook has said that “it should be the law around the world,” and that governments should take a stand for consumer data privacy.
Although GDPR might not apply to all North American companies, being an early adopter of data security practices is beneficial to your business. Michael Fimin, writing in Forbes magazine, recognizes five benefits to GDPR compliance.
1. Enhanced Cybersecurity
GDPR “requires organizations to identify their security strategy and adopt adequate administrative and technical measures to protect EU citizens’ personal data.” Putting these practices into place secures your data and improves your cybersecurity.
2. Improved Data Management
When reviewing your data collection and storage, “get rid of redundant, obsolete and trivial (ROT) files that your organization retains,” and make your data searchable. Your employees will be more efficient if your systems are lean, indexable and searchable.
3. Increased ROI With More Qualified Leads
4. Consumer Trust
Consumers are concerned about how their data is being collected, used and exposed to risk online. Going above and beyond the American requirements to secure your customers’ data to the standard of GDPR highlights how much you value their personal data and how seriously you take the threat of data breaches.
5. Market Differentiation
Being an early adopter has many benefits. You can go through many iterations of data security practices to perfect your systems before a late adopter enters that space, you anticipate the requirements of any future regulations and can achieve compliance before it’s mandatory or enforceable, and it will give you market differentiation in a sea of competitors that haven’t yet made a move on data security. As Fimin puts it, GDPR compliance is your opportunity to “implement a new business culture that cherishes human privacy. The GDPR is your opportunity to excel.”
Drawbacks of GDPR
A concern for such heavy regulations is that cost of compliance might be a barrier to entry for new companies in the digital space, which has been thought of as an environment that rewards risk, innovation and disruption from new companies. Fast scaling companies might be less competitive to the larger competitors that already exist on the market.
For larger companies, or companies dealing with large volumes of personal data, there are the costs associated with hiring or promoting a Data Protection Officer in charge of securing data and complying with European authorities. The fines might be hefty and dissuasive, but so too are the costs associated with compliance. The additional overhead might be a death knell to SMBs.
Compliance is something that needs to be actively managed. Smaller companies might not be able to keep up with compliance in the same capacity as bigger companies. This preserves the competitive advantage that these bigger companies already have.
The limitations on how companies can collect, store and use data will impact the technical side of advertising that many SMBs rely on. Without the insight of quality data for marketing purposes, companies experience difficulty reaching their intended audiences, and consumers might be served less relevant ads. Great advertising benefits both the consumer and the advertiser when the right products are put in front of the right eyes.
Another criticism of GDPR is that it has gone too far and that the overregulation will lead to a constant state of consumers being asked for their consent online. Either users will be met with constant cookie banners, or companies won’t collect sensitive data in the first place, instead using alternative data analytics to achieve compliance without any opt-in requests made to website visitors.
How To Achieve GDPR Compliance
Data privacy is a global issue, and GDPR impacts any company that handles EU resident data. If your website collects user data with an analytics software, this regulation affects you, and you’ll have to switch from opt-out to opt-in data collection.
Audit the data you are collecting.
Understand what kind of data you process, how it is stored and who in your organization has access to it. Monitor your vendors that gather data from your website, and check their statements on compliance with GDPR.
Address privacy at every level.
Don’t just pay attention to how systems are designed or how information is stored but also to who has local access to accounts.
Take a risk-based approach.
Data security compliance requires collaboration; gather insight and input from everyone in your organization. By coming together to identify your biggest risks and prioritizing their fixes, you can effectively recognize your risks and achieve compliance.
European consumers now have extended rights over how their personal data is collected and how it is used, but they also have the right to ‘data portability,’ which means that they can request a copy of the personal data held about them or request that it be rectified or deleted.
Businesses that are heavily invested in the digital space and traffic personal data at any level are going to have to develop practices and technologies that allow them to easily conform to the regulations.
- Continually monitor and secure digital assets.
- Put proper controls in place to protect data from breaches.
- Make data available to data subjects within ‘a reasonable time.’
What Happens If You Don’t Comply: GDPR Penalties
The high profile penalties for GDPR have been vast. In the first year of the new rule, Google was given a fine of €50 million. Intersoft Consulting writes of the GDPR fines that they are designed to be “effective, proportionate and dissuasive for each individual case.”
The regulation was written with a two-tiered fine structure for penalizing companies:
Minor infringements are “subject to administrative fines up to €10 million, or in the case of an undertaking, up to 2 percent of the total worldwide annual turnover of the preceding financial year, whichever is higher.”
Serious infractions are “subject to administrative fines up to €20 million, or in the case of an undertaking, up to 4 percent of the total worldwide annual turnover of the preceding financial year, whichever is higher.”
Penalties may be decided with consideration to:
- the nature, gravity and duration of the infringement taking into account the nature scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them.
- the intentional or negligent character of the infringement.
- any action taken by the controller or processor to mitigate the damage suffered by data subjects.
- the degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by them.
- any relevant previous infringements by the controller or processor.
- the degree of cooperation with the supervisory authority, in order to remedy the infringement and mitigate the possible adverse effects of the infringement.
- the categories of personal data affected by the infringement.
- the manner in which the infringement became known to the supervisory authority, in particular whether, and if so to what extent, the controller or processor notified the infringement.
- where measures referred to in Article 58(2) have previously been ordered against the controller or processor concerned with regard to the same subject-matter, compliance with those measures.
- adherence to approved codes of conduct pursuant to Article 40 or approved certification mechanisms pursuant to Article 42.
- any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement.
What are the average fines for GDPR violations?
GDPR became law in May of 2018, and in the remainder of that year alone, 91 fines were issued for a total of €55,955,871. For the most part, it’s the high-profile large sum fines that get most of the attention, but not all GDPR fines are published or make headlines. When you remove the €50 million outlier fine handed to Google from the data, the average GDPR fine a company faced was approximately €66,000.
The Dutch Data Protection Authority (DPA) published their guidelines for penalizing infractions in March, 2019. They developed a tiered penalty system with four categories depending on the severity of the infraction.
Category I applies in the instance of simple or clerical violations, such as “failing to share the contact details of the company’s Data Protection Officer (DPO) or to adequately record the responsibilities of processors or joint controllers.” Fine range of €0 – €200,000; standard penalty of €100,000.
Category II applies when a company doesn’t fulfill specific GDPR obligations and requirements. Fine range of €120,000 – €500,000; standard penalty of €310,000.
Category III applies when a company refuses to be transparent with its users or with the Dutch Data Protection Authority (DPA), refusing to notify the DPA of breaches, or refusing to cooperate with the DPA. Fine range of €300,000 – €750,000; standard penalty of €525,000.
Category IV applies when a company engages in the unlawful processing of sensitive data, illegal profiling, or refusing to comply with specific directives from the Dutch DPA. Fine range of €450,000 – €1,000,000; standard penalty of €725,000*
*Only in case the €20,000,000 / 4% of annual turnover applies
Notable Instances of GDPR Enforcement
In the Fall of 2020, Marriot and British Airways were both handed substantial fines following separate data breaches in 2018 that adversely affected consumers.
British Airways | $25.85 million | United Kingdom, 2020
British Airways was fined $25.85 million, and 400,000 of their customers’ data had been compromised in the data breach. The fine handed to them by the Information Commissioner’s Office (ICO) was for their data security weaknesses after the investigation found that they had been processing “a significant amount of personal data without adequate security measures in place.”
Although the fine was the largest fine the ICO had given out, they had originally proposed a fine of $229 million before taking into consideration the economic impact Covid-19 has had on the aviation industry. The ICO also gave credit to BA for the “considerable improvements to its IT security” following the attack and for complying with investigators – both of which helped lower the original fine total.
Marriott International | $23.8 million | United Kingdom, 2020
In 2020, Marriott Hotels were handed a $23.8 million fine for a data breach that exposed 339 million guest records, affecting 30 million users across the EU. The interesting thing about the Marriott case is that the original breach has been dated back to 2014 but wasn’t discovered until 2018, and “the penalty only covers the portion of the breach that dates from 25 May 2018 — when the GDPR came into effect.”.
Like the British Airways fine, given just weeks before the Marriott fine, the UK government reduced the total fine amount down from $123 million because of Covid-19’s economic impact as well as the mitigation efforts and compliance from the company.
Google | $57 million | France, 2018
Google has, since the inception of GDPR, been the ire of French data regulators. In 2018, the company was fined €50 million for “lack of transparency, inadequate information and lack of valid consent regarding ads personalisation.”
Google | $121 million | France, 2020
In late 2020, French regulators again handed Google a fine for €100 million, though Google is currently fighting the amount in court. The fine was because when users visited google.fr “seven cookies were placed on their terminal equipment, before any action on their part.”
Amazon | $42 million | France, 2020
Amazon was also handed a fine of €35 million by French regulators for the same cookies violation. French authorities determined that neither Google nor Amazon met “the requirement of prior, clear and complete information for users, nor the requirement to obtain their consent and that the mechanism for opposing these cookies was partially defective.”
H&M | $41.3 million | Germany, 2020
Whilst the other high profile instances of GDPR enforcement were due to consumers affected by data breaches and company practices, H&M’s fine was for illegally surveilling its own employees in Germany.
The Data Protection Authority of Hamburg (HmbBfDI) pronounced the fine, Germany’s largest since the implementation of GDPR, after the company had been found to excessively monitor the private lives of its employees. Since at least 2014, some members of the staff had been subject to “extensive recording of details about their private lives”.
“After absences such as vacations and sick leave the supervising team leaders conducted so-called Welcome Back Talks with their employees. After these talks, in many cases not only the employees’ concrete vacation experiences were recorded, but also symptoms of illness and diagnoses,” HmbBfDI said. “In addition, some supervisors acquired a broad knowledge of their employees’ private lives through personal and floor talks, ranging from rather harmless details to family issues and religious beliefs.”
The data collection practices were exposed in October, 2019 after an internal error allowed the information to be accessible for several hours. Prof. Dr. Johannes Casper, the Hamburg Commissioner for Data Protection and Freedom of Information, said of the fine: “The amount of the fine imposed is therefore adequate and effective to deter companies from violating the privacy of their employees.”
Our Thoughts On GDPR
GDPR is a progressive and comprehensive act that sets a standard for data protection that protects consumers, and that is a good thing for individuals. The penalties are designed to be proportionate and effective, to force companies to see how serious the issue of data protection is and to dissuade non-compliance.
I’m European, so I may be biased; GDPR aligns with my European sensibilities. But my priorities are with the companies that I provide value for, and I believe that enhanced data security practices are in their best interest too.
Yes, the change might have some teething pains for companies that aren’t able to comply quickly enough or afford the cost of hiring compliance professionals to manage specific risks. Still, the fines are expensive enough to consider investing in compliance professionals or at least auditing your existing risks.
It helps that European data enforcement agencies work with data controllers to mitigate the fallout of any, or potential, breaches. It isn’t just that they hand out penalties, they actively want the digital environment to be safer, smarter and more improved; to restore consumer confidence in digital spaces; and to provide users with rights and protections over their personal data.
With the opt-in approach for remarketing to your website visitors, remarketing could become leaner. You can be reassured that users on your lists made a conscious decision to opt-in to be there. Having systems in place to organize and audit your own data also cleans up a lot of the noise in data; removing redundant, obsolete and trivial (ROT) data. Your data will be gold, you’ll want to protect it, and your team will be all the more efficient for it.
We are not lawyers; we cannot help you audit and achieve compliance in cybersecurity, but we can build a kick-ass website that will meet GDPR requirements, and we can work alongside your data management team to create a digital environment that will build consumer confidence in your brand and meet your business goals.