GDPR is now six months old. So where are all the blockbuster fines for data breaches?

 
Luke Graham
Follow Luke
Behind The Scenes At CERN The World's Largest Particle Physics Laboratory
GDPR was introduced to address the hoarding of personal data by companies (Source: Getty)

It has been six months since the European Union’s sparkly new privacy rules, the General Data Protection Regulation (GDPR), finally came into effect.


There was a flurry of activity in the run-up on 25 May as people received dozens (if not hundreds) of emails from businesses asking for consent to retain their data. But since then, it is hard to tell from a consumer perspective what actual impact GDPR has had. What was the point? Is it even working? Was life, the universe, and the internet better before?

With this in mind, let’s take a look at some of the lingering questions six months on from GDPR.

Why should we care about GDPR?

In recognition of the fact that companies have become increasingly data-dependent in the last decade for marketing, the aim of GDPR was to modernise the rules on data privacy and protection, and to force businesses to be more careful when handling customer data. The hoarding of this data created juicy targets for cyber attacks and hackers.

In the build-up up to May, plenty of businesses (and journalists, including this humble writer) warned about the potential long-reaching effects of GDPR on companies and consumers. A lot of these dire warnings focused on the possible sanctions for firms that breached rules on handling personal data – fines could be as high as €20m, or four per cent of global turnover.


Individuals might not care, but businesses certainly paid attention. According to Nick Taylor, UK lead at Accenture Security, GDPR has taught businesses that they cannot be complacent when it comes to data.

“The threat of fines reasserted the need for businesses to prioritise cyber security – at the highest level, and not just within the technology or security functions,” he says.

“Best practice around training, threat hunting, rapid response and security policy is starting to get baked into decision-making across organisations.”

Where are all these fines?

Since May, only a handful of companies have actually been sanctioned under GDPR. In September, a Canadian analytics firm called AggregateIQ, which had worked for the Vote Leave campaign, became the first company to receive a formal notice that it would be fined, although the actual bill has not yet been set.

Since then, a German chat platform called Knuddels received a fine of €20,000 for storing user passwords in plain text (bad idea), while in Austria, a retailer was fined the paltry sum of €4,800 because it installed a CCTV camera outside its premises which happened to record images from a public pavement.

It’s possible that the reason fines have been so few and so low is because there are several ongoing investigations into GDPR breaches – the European data protection supervisor Giovanni Buttarelli told Reuters in October that he expects more fines to be announced by the end of the year.

But regardless, the lack of punishments just makes the whole endeavour seem toothless.

Do consumers care about their data?

GDPR was meant to put more power into the hands of consumers, such as letting them know what personal data was being stored and how it was being used.

While it may have been cathartic in May to ignore the desperate emails from brands asking consumers to opt-in to marketing, since then most consumers haven’t really taken control of their data. In fact, those marketing emails somehow still keep cropping up in your inbox.

Let’s be honest, when we visit a webpage, we all still automatically click “accept” on the pop-up that appears asking about privacy preferences and cookies, which are little data packages that websites store on your computer. We’re more interested in getting to content, rather than stopping to read how that site will use our personal data. It is especially annoying how those pop-up requests also seem to slow down your internet speed.

“Consumers on the whole are not taking their privacy any more seriously than they were before GDPR implementation,” warns Andrew Buckman, managing director EMEA at advertising company Sublime.

“They see the consent banners as an annoyance, which can be quickly dealt with by clicking a button. They don’t necessarily understand the power they have been given over their own data.”

Wait, where’s my favourite website gone?

While GDPR came into force this year, it was actually first adopted by the EU officially in 2016. Businesses were given a two-year grace period to prepare for the new regulations.

It’s worth remembering that the scope of GDPR means that it covers any company in the world handling the data of EU citizens, not just European firms.

While some companies were diligent and got ready for the new rules (even if they rushed in the final months before the May deadline), others outside the EU decided “eh, why bother?”

To avoid having to comply with GDPR, some websites simply block users from the UK and Europe. There are dozens of American sites that have done this, including news sources such as the LA Times, Chicago Tribune, or New York Daily News. If you happened to like reading those sites in the past, you’re out of luck today.

Or you could use a virtual private network to get around those roadblocks. Either way, it hardly inspires confidence that users are in control of their data.

Did GDPR rock advertisers’ world?

GDPR has caused a big headache for advertisers this year. Problems started when Facebook and Google (the two largest digital ad platforms) changed their rules to make themselves GDPR-compliant. They ended support for third-party audience technology, and prevented marketers from exporting data.

This means marketers couldn’t measure basic information about how well their ads were doing. Perhaps that not a concern for consumers, but it is shaking up the ad industry.

“The practical effect for digital advertisers has been reduced choice,” says Ben Knight, co-founder of digital marketing agency Croud. “This has increased the need to capitalise on clients’ own ‘first-party’ customer data – instead of third-party cookies.”

Meanwhile, GDPR has caused a “domino effect of chaos” on the ad industry, according to Buckman.

“For some advertising technology vendors, the lack of preparation by Google ahead of the deadline had significant impact on revenues.”

Is GDPR actually working?

GDPR is likely to be tested further in the future as it tries to deal with technological change. For instance, how will the regulations deal with data held on blockchains as they becoming more mainstream?

Matthew Cole, a partner from law firm Prettys, says it is too early to tell if the regulation is working, but the signs are positive, as the importance of data privacy and security is now better understood.

“Having said that, fundamental issues with GDPR do remain,” he adds.

“It is a complicated document, which contains many uncertainties; this will undoubtedly lead to inconsistencies in its application, particularly in the early days.”

Despite the lack of fines and the fact that consumers aren’t taking it seriously, GDPR broadly seems to be working. Companies seem to be taking their responsibilities seriously and are re-evaluating how and when they collect, store and use customer’s data.

And perhaps six months is too soon to evaluate whether or not the new rules are working.

After all, the challenge of who owns data has been growing since the dawn of the web, and it was always unrealistic to expect the fundamentals of how we behave and do business on the internet to change in the space of six months. This is only a first step.

GDPR remains complex and confusing. Still, at least it is something to write about that isn’t Brexit.

Related articles