This May 25 marks the one-year anniversary of the General Data Protection Regulation (GDPR) taking effect, which represented the most significant change in data privacy regulation in decades.
A new survey conducted by Thomson Reuters indicates that businesses have increasingly struggled with GDPR compliance and other data privacy regulations over the last year.
Every organization doing business within the European Union must abide by its sweeping mandates on ensuring data privacy or face significant fines. Companies have already run afoul of GDPR — the most notable being Google, which faces a $53 million fine for lack of transparency and lack of proper consent in its data privacy policies. More high-profile cases are reportedly pending.
The European Commission reported that 95,180 complaints of alleged GDPR violations had been filed with data privacy authorities in Europe as of January 2019. The most common complaints involved telemarketing, promotional emails, and the use of closed-circuit television (CCTV) or video surveillance.
You can download the full survey, GDPR +1 Year: Business Struggles with Data Privacy Regulations Increasing, here.
Thomson Reuters surveyed data privacy professionals at global organizations in nine countries in 2017 and again in December 2018 — both before and after GPDR took effect. The companies surveyed have average global revenues of $282 million dollars and an average of 16,400 employees. The survey found that after one year, many businesses are still struggling to comply with GDPR; and with more data privacy regulations coming into effect in other countries (including the United States), the challenges facing businesses are mounting.
Compliance difficulties increasing
The new report, GDPR +1 Year: Business Struggles with Data Privacy Regulations Increasing, found that difficulties complying with data privacy regulations around the world have increased in several ways since GDPR took effect, most notably:
- 79% of companies worldwide are either failing to meet regulatory requirements or having trouble keeping up;
- 91% of companies are aware of GDPR, but one-in-four say they do not consider themselves knowledgeable;
- Half of companies have been subject to an enforcement action somewhere in the world;
- Companies are pulling back, and only 30% now say they are open and pro-active in dealing with consumers; and
- Companies are spending an average of $1.3 million annually on data protection and expect those costs to rise this year.
Data privacy regulations growing globally
Even while difficulties coping with GDPR and other data privacy regulations are growing, such regulations continue to proliferate at a rapid pace. According to Thomson Reuters Data Privacy Advisor, several countries passed new data privacy laws in 2018 — many modelled after GDPR — including Brazil, Peru, Bahrain, Hong Kong, Uruguay, Israel, and Chile. Other countries are expected to take similar action this year as well.
However, some of the most significant developments have been in the U.S., where bills have been introduced in Congress to establish a national data security law. And Facebook reported it anticipates a fine of more than $3 billion from the US Federal Trade Commission for its data protection policies and a series of data breaches.
Even while difficulties coping with GDPR and other data privacy regulations are growing, such regulations continue to proliferate at a rapid pace.
The California Consumer Protection Act (CCPA) takes effect on January 1, 2020, and at least 11 other states are considering similar legislation. The CCPA, signed into law last June, gives consumers new rights in regard to collection of their personal information. The Thomson Reuters survey found that 40% of companies both in the US and around the world say they are not knowledgeable about CCPA, just seven months before it takes effect.
As new data privacy regulations continue to be enacted and enforcement steps up, half of companies surveyed now say they have been the subject of an enforcement action involving a data protection regulation in a country where they do business. That figure is up from 38% the year before. Singapore has the highest rate at 57%; but even in New Zealand — the country with the lowest violation rate — more than one-third of companies reported receiving enforcement actions.
Risk of falling further behind
It’s not entirely surprising that nearly half of companies surveyed (47%) say that they are either struggling to stay current or are falling further behind in keeping up with global data privacy regulations. The implementation of GDPR created major new challenges for organizations worldwide. Companies anticipate further cost increases as new regulations proliferate, and many companies still lack vital tools for tracking and meeting this increasingly expanding global regulatory framework.
GDPR may turn out to be merely the starting point for a new wave of data privacy regulations, and organizations may find themselves increasingly challenged to meet these growing requirements.