GDPR Compliance Myth #9: No one really cares about GDPR compliance

Screenshot from a newspaper article
As GDPR came into force in May 2018, many people questioned the hype around compliance with the regulation

VinciWorks has revisited our popular GDPR mythbusters series to separate the data protection facts from fiction.

GDPR received the kind of hype normally saved for a celebrity meltdown or an Avengers movie. In 2018, the eponymous EU directive, otherwise known as Regulation 2016/679, scored higher in Google search rankings than Beyoncé and Kim Kardashian. GDPR notched up over 300,000 media mentions, three times as many as Mark Zuckerberg managed. It even spawned a sub-culture of memes as EU citizens drowned under a flood of emails informing them of privacy policy updates and “click here to re-subscribe”.

On-demand webinar – GDPR Mythbusters 2019

As pointless as those activities were – consent was never the only justification to send marketing messages – it helped embed GDPR in the public consciousness in a way few other EU regulations do. And, unlike other pieces of pop culture, GDPR is something individuals can actually use to take control of their data, and even effect change.

Data protection complaints keep rising

As of 25 January, 2019, eight months to the day since GDPR came into force, national data protection authorities reported nearly 100,000 complaints from concerned citizens. As the EU Commission said, “citizens have become more conscious of the importance of data protection and of their rights. And they are now exercising these rights.”

Those complaints have sparked 255 separate investigations so far, the vast majority based on the complaints of individuals, as opposed to those initiated by a regulator. Amongst the ongoing investigations of high profile tech companies like Facebook, WhatsApp, Google and Instagram, three fines have already been issued totalling €50,025,280. While €50 million of that is owed by Google, Germany fined a social network €20,000 for failing to secure user data and Austria fined a sports betting cafe €5,280 for unlawful video surveillance.

The activities most complained about are telemarketing, promotional emails and CCTV surveillance, hardly the standard activities of the average tech giant. This shows GDPR isn’t only about big data and bigger companies, it’s helping the average citizen take control of their data and raise the kind of concerns and complaints consumers do for any other product or service in their lives. The UK’s Information Commissioner’s Office (ICO) alone receives over 500 calls each week from individuals concerned about misuse of their data.

Many companies are playing their part in GDPR enforcement, taking their data protection obligations seriously. Over 41,000 breach notifications have been submitted to regulators since GDPR came into force. That’s around 500 data protection breaches every 72 hours – the length of time a company has to report the breach to their national regulator.

Many businesses yet to comply with GDPR

When it comes to compliance, a significant number of businesses, while a minority, still have some way to catch up. Research released by Cisco in its 2019 Data Privacy Benchmark Study revealed only 59% of businesses said they are meeting “all or most” of GDPR’s requirements. The effects of non-compliance speak for themselves. Only 37% of GDPR compliant companies suffered a data breach costing more than $500,000 in the last year, while 64% of non-compliant companies suffered such a breach.

It’s clear that the only people who don’t care about GDPR compliance are the 41% of businesses still failing to meet the basic minimum standards. Everyone else, from consumers to regulators, cares a great deal, and the data suggests that’s not going to change any time soon.

VinciWorks to release GDPR refresher training

Staff should regularly carry out GDPR training to ensure they are continually able to respect and protect individuals’ personal data. We will soon be releasing new refresher training that will help staff maintain awareness of GDPR requirements year after year. Within the same course, users can take advanced modules related to their role. This training will include topics such as how to be a DPO, GDPR for marketing and HR and responding to subject access requests. You can register for updates on the training here.