GDPR One Year Later

One year ago, the EU’s GDPR went into effect. The increased focus on privacy has led regulators to consider whether their laws should follow the EU’s approach of treating privacy as a fundamental human right, or the traditional approach in the United States of addressing market failures on an issue-by-issue basis.

In the months after the GDPR went into effect, some regulators in the EU took a relaxed approach to enforcement.

That informal grace period appears to be ending. A report indicates that 55,955,871 euros in aggregate penalties for almost 60,000 reported data breaches were imposed during the first nine months of the GDPR. We have also seen at least one extraterritorial enforcement action. The UK’s Information Commissioner’s Office investigated a Canadian entity’s involvement with Cambridge Analytica’s alleged use of EU citizens’ data for analytics for the Brexit campaign. The company agreed to comply with a cease order. The jurisdictional question was never fully resolved.

Over the next few years, we are likely to see increased enforcement and formal guidance concerning the GDPR. We are also likely to see privacy issues remain in the public spotlight, with many regulators around the world considering whether to adopt stricter data privacy and protection laws. It is important for companies to consider their own data practices and how they can increase market share, improve customer trust, and minimize risk through the implementation of sound privacy and data security policies and practices.