GDPR Status After One Year: What We Learned

A little more than a year has passed since the EU General Data Protection Regulation (GDPR) became legally enforceable, and it’s becoming clear that simply sweeping data breaches under the carpet has become a high-risk strategy.

For the past year, companies around the world have been scrambling to ensure they are as compliant with the new regulations as possible, showing that they have placed a priority on data protection and taken into account the flow of data in and out of their companies, as well as the information eco-system of their partners.

The GDPR refers specifically to “personal data” – information that can be used to identify a particular person. It can be a name, ID number, location, or an online identifier. GDPR applies to companies located within the EU and to companies globally if they do business in the EU or have access to data of EU citizens.   Companies must get explicit consent before collecting such data and then must protect that data and ensure it can never be identified with that person without authorization. Companies are also required to report data breaches within 72 hours in some cases.

The law has essentially set the world standard on data privacy. The California Consumer Privacy Act is set to go into effect on Jan. 1, 2020, based on the principles of GDPR. Standards in Japan, Brazil, and Argentina, among other countries, have aligned their own data protection policies to comply with GDPR.

Will Year Two Be the Year of Enforcement?

The law has had an instant impact on data privacy, providing a powerful resource to ensure their data remains protected. Companies found in breach can be fined as much as 4% of the company’s annual turnover or €20 million ($22.6 million) – enough to make GDRP compliance an absolute necessity, even for companies based outside the EU.

The European Commission published some statistics one year on to illustrate its impact.

  • Nearly 145,000 complaints were filed in the first year
  • Nearly 90,000 data breaches were reported by companies
  • The most common activities that received complaints were telemarketing, promotional e-mails, and video surveillance

While the European Data Protection Board (EDPB) has been empowered to use the full force of the regulations against violators, some believe that authorities were relatively light on penalties during the first year, suggesting that they were more interested in guiding greater compliance than penalizing violations.

There were, however, some notable exceptions. Google in France was fined a whopping €50 million ($56.8 million) for failing to get proper consent from citizens in its advertising service. In another case, a Polish company was fined €220,000 for scraping data from public sources without consent from the people involved.

What can companies expect in the second year and onward?

Advocate Inbal Aviad, Chief Legal Officer at Papaya Global and head of the GDPR committee of the Israel Bar Association, explained, “The GDPR completely changed the compliance risk for organizations, but we haven’t seen the big fines levied just yet”

“I suspect that if 2018 is the year of implementation, 2019 will be the year of enforcement. Starting in 2019, I  expect this ‘grace period’ to end, where companies will either shape up or face serious fines by regulators. Laws are only as strong as their enforcement, and we are encouraged by the fact that many data protection authorities are starting to closely scrutinize the underwhelming implementation measures taken by some companies and the thousands of complaints filed.”

Make Sure Your Payroll is GDPR Compliant  

If your company manages a global contingent workforce, you are responsible for ensuring that the personal payroll data of your employees remains secure and encrypted. Mailing the data through email is not sufficiently secure – and may well be worst way to transfer sensitive information. Instead, use a secure platform that allows you to manage your payroll needs.

In addition, the workers must have secure and transparent access to their data. They must also be able to modify or delete sensitive data upon request.

Papaya’s cloud-based global workforce management solution provides a comprehensive payroll eco-system for companies, facilitating GDPR compliance by encrypting documents and improving the security of personal employee information.

The EU has set the world standard for data privacy. Choose a payroll system that has GDPR compliance built in – or risk heavy fines and a potential loss of employee trust.