This time five years ago, you – like millions of people across Europe – might have been doing last-minute research on the GDPR (General Data Protection Regulation), a brand new piece of legislation that was poised for revolutionise data protection.
For many people outside the information security and compliance sectors, the GDPR appeared as if from nowhere. It had barely been talked about, despite its two-year lead-in time and the impact it would have, and many organisations were caught off guard.
According to one report published just four months before the GDPR took effect, 62% of respondents hadn’t even heard of the Regulation.
All that changed in May 2018, however. Reports of the GDPR were everywhere, with commentators online and across the media landscaping explaining its widespread rules and the mouth-watering prospect of fines of up to €20 million for non-compliance.
As the European Commission noted in a since-deleted infographic, the GDPR was googled more often that than Kim Kardashian or Beyoncé.
In the five years since then, the fascination and panic surrounding the GDPR has died down, but its rules remain as important as ever. Updates regarding the Regulation might not still be front-page news, but fines, regulatory complications and appeals continue to shape the way organisations approach data protection practices.
As the GDPR celebrates its fifth anniversary, we look back at the biggest developments from the past half decade and consider what the future holds for the EU’s data protection framework.
The fine print
Above all else, the thing that captured the public’s attention regarding the GDPR was the disciplinary powers it gave to regulators. Organisations that breached the Regulation could face penalties of up to €20 million or 4% of their annual global turnover – whichever was greater.
This was a major enhancement over the rules set out in its predecessor, the 1995 Data Protection Directive, which contained no framework for fines.
As such, the scale for penalties varied greatly as the Directive was transposed into domestic law. One thing they had in common, however, was that they were uniformly modest sums compared to the GDPR.
For instance, the maximum penalty in Ireland was €100,000, while the UK was comparatively stricter with £500,000 (approximately €570,000 by the time the GDPR took effect).
The GDPR increasing the maximum penalty by as much as 2,000% was bound to cause a stir, and some speculated that the potential for huge fines was a scare tactic to bully organisations into compliance.
However, regulators were keen to downplay the potential for massive fines. As the GDPR neared its enforcement date, the UK’s data protection commissioner at the time, Elizabeth Denham, said:
It’s also true that companies are fearful of the maximum [penalties] allowed under the new law. But it’s scaremongering to suggest that we’ll be making early examples of organisations for minor infringements or that maximum fines will become the norm.
Her words were echoed by data protection regulators across Europe, as they insisted that significant penalties would be issued only in extreme circumstances, and that other sanctions – such as enforcement action – would be the first resort.
“While fines may be the sledgehammer in our toolbox, we have access to lots of other tools that are well-suited to the task at hand and just as effective,” Denham said. “Like the [1995 UK Data Protection Act], the GDPR gives us a suite of sanctions to help organisations comply – warnings, reprimands, corrective orders.
“While these will not hit organisations in the pocket – their reputations will suffer a significant blow. And you can’t insure against that.”
For the most part, regulators have kept to their word. Excluding a handful of notable outliers, which we discuss in the next section, the average penalty has been around €2,000.
Although some people have concluded that the relative lack of blockbuster penalties is a sign of the GDPR not living up to expectations, the current status of the Regulation was always lawmakers’ intention.
Organisations that have failed to meet their compliance requirements have been subject to investigations, they have received instructions to bring their practices into line and, in some cases, they’ve received a moderate fine to dissuade them from further non-compliance.
Those penalties have been proportional to the organisation’s size, so although the sums might not be eye-popping, they were significant under the circumstances.
That said, there have been times when organisations have made egregious mistakes and have been punished accordingly. As of May 2023, 1,642 fines have been issued, and on 17 occasions the penalty was €20 million or more.
Biggest GDPR fines
Since the GDPR took effect, the total sum of GDPR fines is €3,987,143,873. Of that figure, €3,491,000,000 – or 87% – has come from ten incidents.
Reflect – review – refresh
Whatever your current GDPR practices look like, it’s important to remember that GDPR compliance is an ongoing process.
To ensure you continue to meet your data processing obligations, you need to regularly reflect on the requirements that affect your organisation, review your data processing activities and then refresh your compliance programme accordingly.
IT Governance has been at the forefront of GDPR compliance solutions since its inception. In the past five years:
- More than 4,000 people have taken our GDPR training courses;
- We’ve delivered GDPR staff awareness training to more than 78,000 people;
- We’ve provided GDPR consultancy to more than 750 organisations; and
- Hundreds of organisations have bought our GDPR books, documentation templates and toolkits.
If you need to update your GDPR compliance activities to ensure you still meet your obligations, we have everything you need.