The European Union’s sweeping data privacy law, the General Data Protection Regulation (GDPR), sent many companies scrambling to come into compliance prior to its implementation in May 2018. The EU law covers EU citizens’ data anywhere in the world, meaning companies globally have to comply or face fines of up to 10 million Euro or 2 percent of their annual global turnover (or revenue) per violation (whichever is greater).
Now, four years into the GDPR’s implementation, the landscape of data privacy has changed significantly. While big cases against tech giants still await final decisions, smaller companies have had to change their behaviors and improve their handling of user data. A number of other data privacy and security measures have emerged across the world, including many state regulations, such as the California Consumer Privacy Act (CCPA) and the Virginia Consumer Data Protection Act (VCDPA).
The GDPR is an 88-page law that contains 11 chapters and 99 articles, all of which are intended to improve and unify data privacy practices in regard to the data of EU citizens. It is not limited to the borders of the EU; any company that collects and/or processes the data of any EU citizens must comply with the GDPR. Companies across the United States that do any business with EU citizens are included in the law’s scope.
Among the rules the GDPR put into place for the “data controller” and “data processor” to follow were rights and freedoms granted to the data subject, or each individual user. These include ethical concerns such as the user’s right to consent to data collection, the right of a user to request deletion of their data and the right of a user to access their data. To respond meaningfully to these rights, many companies had to put systems and processes into place that previously did not exist. Since 2018, efforts have been made to clarify specific GDPR clauses, but some questions remain for companies trying to comply.
Odia Kagan, a partner at Fox Rothschild LLP and chair of the GDPR compliance and international privacy practice, said there is no real blueprint for GDPR compliance. The question businesses must start with is, “Basically, what do the rules actually mean for my business?” The answer can be different from company to company, Kagan said.
“We tried to get started and get the basics done to get going, because there are rules common to everybody,” she said. “GDPR is not a snapshot in time; it’s an ongoing deal. You have to keep going and keep reassessing; it’s an ongoing compliance process. Even companies that have done a fair amount of work likely still have more to do and maintain.”
The GDPR codifies standards for data processing and collection, creating sweeping rules governing the use of EU citizens’ data even outside the EU. Essentially, Kagan said, every company must start with the following considerations when working toward GDPR compliance:
“The added complexity was that EU companies already had a big head start,” Kagan said. “The Data Protection Directive had national implementing laws across the 28 EU states; this basically covered like 80 percent of [the regulations within] GDPR.”
Subsequent improvements to the Data Protection Directive, such as the 2002 ePrivacy Directive, have meant the EU is ahead of the U.S. in data protection legislation. U.S. companies had to scramble to catch up during GDPR implementation, and many clients asked if Kagan had a checklist they could follow. Her response was, “Yes, but …” it’s not a one-size-fits-all program. Instead, Kagan said, they started with the requirements that are common to all businesses.
The penalties for failing to comply with the GDPR are potentially steep: fines of up to 10 million Euro or 2 percent of global annual revenue from the previous year. For many businesses, that could amount to a fatal blow. While large companies such as Marriott, British Airways and H&M have faced hefty fines, it’s unclear whether any smaller companies have folded as a result of the regulations. The cost of compliance with new guidelines did result in the exit of about a third of Android applications, according to a study from the National Bureau of Economic Research. For companies in the U.S. and beyond, staying on top of GDPR compliance is a priority and an ongoing challenge.
When it comes to ensuring compliance with any sweeping law such as the GDPR, it’s wise to partner with an attorney or consultant who demonstrates experience and specialization in that area. However, a great first step is to simply read the law, said Donovan Buck, vice president of software engineering at BrandExtract.
“If you don’t know where to start, the law is really easy to digest,” Buck said. “It’s kind of long, but it’s written in clear terms that normal people can understand. And there’s a preamble to it … [that] gets the spirit of the law across. The law itself is not that scary. Read the law; it’s not that bad.”
Even for those who read the law, the GDPR left a lot of unanswered questions leading up to (and even after) its implementation in May 2018. Since then, the European Data Protection Board, the overarching supervisory authority governing the GDPR, has issued clarifications and guidelines to help companies ensure they are indeed compliant, including the following:
The European Data Protection Board has released myriad updated guidelines, clarifications and best practices since the GDPR’s enactment in 2018. Major updates include information on which companies are bound to the GDPR, what consumer data is considered necessary to collect and how companies should fulfill data requests.
While the GDPR has certainly improved data security by weeding out some egregious violations, overall enforcement is taking longer than many people expected. Information moves quickly online, and the GDPR seems, to many, like it struggles to keep up, especially in the case of huge, wide-reaching tech companies such as Meta and Google. For example, data privacy nongovernmental organization noyb (which stands for “none of your business”) brought a complaint over forced consent against Instagram, Facebook, Google and WhatsApp the day the GDPR became active. Over four years later, a resolution is still under development.
There has been enforcement of the law, however. The GDPR has levied 1,216 fines, Privacy Affairs reported, and together they exceed $2.5 billion in penalties as of December 2022, according to Enforcement Tracker. That means companies need to ensure they’re following regulators’ definitions of elements of the law, like “disclosure” and “consent,” not their own interpretation of these terms.
According to Enforcement Tracker, the three biggest fines include 746 million euros (about $790 million) against Amazon Europe Core S.à.r.l. by Luxembourg officials in July 2021, as well as two big penalties against Meta in 2022. In September 2022, Ireland’s Data Protection Commission fined Meta Platforms Inc. 405 million euros (roughly $430 million), and in November 2022, they hit Meta Platforms Ireland Ltd. with a 265 million euro (about $280 million) fine. The same names dominate the highest-fines list, with Amazon, Meta (including Facebook and WhatsApp) and Google receiving eight of the top 10 largest fines.
The November ruling against Meta relates to a data breach of approximately 533 million Facebook users’ personal information, including email addresses and phone numbers. In addition to paying the fine, Facebook must take actions to improve users’ data safety and prevent further data scraping. The September ruling against Meta said Instagram was in violation of GDPR guidelines for children’s data, which is under specific protections. Instagram allowed children ages 13 to 17 to share email addresses and phone numbers on business accounts. It also made teenagers’ accounts public by default. Meta is appealing the ruling.
Luxembourg’s fine against Amazon Europe Core S.a.r.l. is related to the ways it uses customer data to develop targeted advertising. Amazon also appealed the decision.
“A big part of [many] regulations is how you collect consent, and how you inform the consumer in a clear, transparent and obvious way [about] what you’re collecting,” said Chris Slovak, co-founder and CEO of Challenger Interactive.
While accountability for tech giants is moving slowly, the overall attitude toward data privacy is shifting. The average consumer has become more aware of the ways companies collect their information, and privacy concerns have become central to conversations about tech. However, even businesses that don’t consider themselves tech companies should evaluate their customer data practices and make sure their data management is secure.
The GDPR was just the “catalyst” of a tidal wave of global data protection laws, Slovak said, and companies should monitor similar developments around the world.
For example, California, Virginia, Utah, Colorado and Connecticut are putting new data privacy laws into place or updating existing laws. Other nations, such as South Korea and China, are also passing new regulations around data security.
Upcoming data protection laws and regulations in the United States emphasize consumer opt-out rights and privacy preference, according to law firm Thompson Hine. To comply, online businesses must make sure their websites provide customers with an approved, clear way to opt out of the sharing or selling of their personal information. That could mean a “do not sell or share my personal information” and/or a “limit the use of my sensitive personal information” link.
These are just some examples of upcoming guidelines designed to offer consumers more transparency and control. In 2024, you can expect many more guidelines surrounding communication with customers about their rights to data privacy.
“This isn’t isolated to EU citizens and California,” Slovak said. “It’s a trend that’s going to sweep the world. Get ahead by investing in the data flows you have today.”
The GDPR requires that disclosure to data subjects be “concise, transparent, intelligible and easily accessible, and use clear and plain language.” Make sure any data privacy communication with your customers is clear and light on jargon, both to ensure compliance and to build trust and loyalty with your clients.
Compliance with an all-encompassing law such as the GDPR can seem impossible, but if you take it one step at a time, your business will soon be on the road to compliance. To stay motivated, remember that full compliance doesn’t have to be the goal; even showing an effort could be enough to keep regulators at bay.
“Companies that have been on a path and worked with regulators … have had cases closed against them or their fines have been reduced,” Kagan said. “You need a plan. Conduct a risk assessment, figure out the riskier pieces of your processing, and start working through them. Be on a path.”
Follow these tips to get started:
Compliance with the GDPR, CCPA and other data privacy legislation is an ongoing process. While each piece of legislation that has been passed or proposed has different requirements, the basic goals are the same. From properly managing the processing of personal data to preventing a breach, there’s a lot that companies are expected to do. That means you can start working toward compliance without knowing all the details or having all the clarification coming down the pike from regulators, Kagan said.
“It’s not too late to comply,” she said. “Disregard the fact that your sink is full of dishes. Don’t avoid it and put it off until tomorrow — just get started.”
By implementing and following best practices, you can reduce your risk of running afoul of data privacy laws and, in the worst-case scenario, demonstrate to regulators that you have made a good-faith effort to protect consumer data. Beyond compliance, there are compelling business reasons for adhering to the best practices set out in data protection regulations, Slovak said.
“If you do it right, you get auditability and transparency,” he said. “You can tell your customers what data you have and where you’re sending it. If you do it right, you’re going to have better conversations with your customers because you have a better understanding of what they want in the moment you’re talking to them.”
Protecting consumer data privacy is good business sense and helps you build a trusted brand, he added. GDPR readiness is a good way to start shifting toward putting consumer data protection first.
“At the end of the day, data is something that’s entrusted to you,” Slovak said. “A consumer is entrusting you with information about themselves so you can create better experiences and services for them. This is an opportunity to reevaluate how you treat your customers and prospective customers. It requires a different way of thinking, and an investment in data and the tools to manage the data itself.”
To stay ahead of the regulatory curve and start building better relationships with your customers, you can start by investing in your data infrastructure and governance.
Cailin Potami contributed to the writing and reporting in this article. Some source interviews were conducted for a previous version of this article.