GDPR: Where Are We Now?

1. 160,000 data breach notifications have been made since May 2018.

• The first eight months since GDPR implementation saw an average of 248 data breach notifications per day. Since then, the average has risen to 278 notifications per day.
• The Netherlands, Germany, and the UK were top three countries in terms of number of data breaches reported (40,647, 37,636 and 22,181, respectively).

2. Approximately $126 million/€114 million in fines have been imposed so far, with even larger ones on the horizon.

• Two other notable fines include the $230 million/€213 million levy on UK airline company IAG and the $124 million/€112 million fine on Marriott Hotels for the Starwood breach, which have not yet been finalized.
• The biggest fine (so far) was one levied by French data protection authority CNIL against Google, at $57 million/€50 million; experts expect bigger fines as regulators become more comfortable with enforcement.

3. Just 28% of organizations said they were fully compliant, according to survey.

• However, 30% also claimed they were “close to” full GDPR compliance—defined in the survey as meaning they were still in the process of “resolving pending issues.”
• The pending issues companies struggled with the most in their compliance efforts were “aligning legacy IT systems,” “complexity of GDPR requirements,” and “prohibitive costs to achieve alignment with regulations.”

4. Notably, a majority of executives agree GDPR compliance has had positive secondary effects.

• 84% of executives from compliant firms agreed becoming GDPR compliant had a positive impact on customer trust, 81% said they believed GDPR compliance bolstered their brand image, and 79% noted better employee morale.
• 87% of the same executives said GDPR compliance had resulted in improvements in IT systems, and 91% said GDPR compliance led to them to bettering their cybersecurity practices.

5. Keep an eye out for a report by the European Commission on GDPR progress and application, due by May 25, 2020.

• The report will review progress of GDPR implementation and its application to and by member states.
• It will also review previous “adequacy decisions” made about third-party countries/international organizations to ensure those third-party countries/international organizations still offer an adequate level of data protection for data transfers.

For more from Leader’s Edge on the ins and outs of the GDPR and other cyber regulations, see Jody Westby’s exploration of the implications these regulations have for M&A, and Rob Boyce’s dive into a report outlining industry concerns about “America’s GDPR”—the California Consumer Protection Act.