The GDPR Prior to the ratification of the GDPR, individual data privacy was the responsibility of the individual. Outside of the EU, it largely still is, but when the GDPR went into effect it opened people’s eyes to just how many of the corporations they come into contact with were misusing their personal data. The GDPR, which grew from individual privacy laws enacted by individual EU states, provides individuals with recourse if they do not approve of the way their data is being used by corporations. Information such as names, physical addresses, phone numbers, email addresses, and medical and financial information were being shared by technology companies. Somewhere in the lengthy terms of service agreement, companies would have language that allowed them to package individual data and effectively use it as an alternative revenue stream. Consumers in the know don’t see this as fair. This level of data privacy has been roundly rejected in the United States up until recently, and those who do want to see a GDPR-like law on the books in the U.S. may not want to hold their breath. Before the GDPR was in the news, not many organizations were thinking about how data breaches could negatively affect anyone but themselves. This has led to a wholesale change in the way businesses view data management, the training of their staff, and security investments as a whole. After One Year In the first eight months, over 59,000 personal data breaches have been reported to GDPR regulators. This may be less than you may have liked to see, but it is twice as many as there were in 2017; and, of course, 59,000+ more than anyone wants. The fines levied by GDPR regulators are hefty (up to €20 million, or up to 4 percent of total revenue from the previous year, whichever is larger), so you are seeing an increase aligned and strategic approach to keeping data secure; and, reporting any data breaches that do happen quickly. If you would like to see how the GDPR has fared in its first eight months, download the DLA Piper GDPR data breach survey, here. The results of the GDPR don’t speak to its effectiveness thus far, but in future reports it will become evident that the law is working to keep individual data secure; or, at the very least, keeping companies honest. Under the GDPR, companies that sustain data breaches have 72 hours to notify the people whose information has been exposed. This strict deadline eliminates the possibilities that companies can manipulate public perception about how they are faring with data security, as you’ve seen numerous times over the past two decades. Unfortunately, the huge teeth that the GDPR was built with haven’t been used to bite non-compliant companies thus far. Fines that add up to €55,955,871 have been levied against the companies responsible for the 59,000 and change reported data breaches, an admittedly modest amount when you consider that around 90 percent of that sum was the fine levied against a single company, U.S.-based tech giant Google.. According to a French GDPR regulator, this small amount should be considered the result of it being a transition year than some type of long-term ineffectiveness of the law. It remains to be seen just how effective the law can be if […]