Complex Made Simple

GDPR one year later: If you’re still not GDPR compliant, millions in fines await

GDPR completes its first year of implementation tomorrow, yet many businesses remain non-compliant, especially in the GCC.

By February 2019, European data protection agencies had issued fines totalling €56m ($62.7 million) for GDPR breaches There are more than 200,000 reported cases, with Facebook and Google as the biggest offenders In essence, GDPR is about "processes and people" - very much a business culture change in how data is handled daily

Europe’s General Data Protection Regulation, or GDPR as it is more commonly known, turns one tomorrow. Ahead of its first anniversary, we look at what this first year was like for the GCC and the rest of the world, and why businesses need to be GDPR compliant.

What is GDPR?

Even a year later, many businesses are not exactly familiar with what GDPR is. 

“GDPR is a groundbreaking privacy framework that empowers residents of the EU to control their personal information so they can use digital technologies to engage freely and safely with each other and with the world,” Julie Brill, Corporate Vice President at Microsoft, writes in a company blog.

Essentially, GDPR is the European Union’s (EU) way to regulate how its citizens’ data is handled, transmitted and more in its areas of jurisdiction, but also beyond. 

GDPR compliance beyond Europe

Any international business that deals with European clients or handles data pertaining to EU citizens is subject to GDPR law. 

This means that even if a business such as a bank is based in the UAE or Saudi Arabia, it needs to be GDPR compliant if it handles any European clients. If it does not, it could face heavy fines:

– Up to €10 million ($11.2 million), or 2% annual global turnover – whichever is higher; or

– Up to €20 million ($22.4 million), or 4% annual global turnover – whichever is higher.

Facebook learned this the hard way earlier this year. 

Facebook, which is an American company, is currently being investigated by Ireland’s Data Protection Commission (DPC), which is the default privacy regulator for Facebook in Europe. The social media giant could be facing a fine of $2.2 billion for breaking GDPR law. This was after Facebook had admitted that it had stored hundreds of millions of users’ passwords in plain text, which around 20,000 employees had access to. 

By February 2019, European data protection agencies had issued fines totalling €56m ($62.7 million) for GDPR breaches since it was enforced last May, from more than 200,000 reported cases. Ironically, €50 million of those were issued to Google

GDPR compliance is about business culture

While Facebook had supposedly achieved GDPR compliance, it turned out to be not entirely true. While it rolled out the correct alterations to its privacy policy and such, it left a major logic and privacy gap in the way it handled users’ passwords.  

This emphasizes the fact that GDPR compliance is not a one-off deal or tweak, however, but a continuous change in mindset and business culture. Had Facebook been truly GDPR compliant, its management and everyday work practices would have never allowed those passwords end up the way they did. A recent history of privacy leaks and breaches at Facebook indicates that while the paperwork confirms GDPR compliance, the business culture at Facebook’s offices does not. 

“GDPR is [about] processes and people,” Claude Schück, the Regional Manager – Middle East at cloud data management firm Veeam, told AMEinfo. “You get processes and people sorted, you comply with GDPR.”

He admits that GDPR compliance is obviously more complex than that, but in essence revolves around these two groups: processes, and people. 

The GCC is slow on the uptake, but is getting there

Still, one year later, many businesses in the GCC are still not GDPR compliant. 

“I think it’s been slow,” Schück said. “Have they all complied? No, not yet, but they are aware and they are on route to achieving compliance. Is there a sense of urgency? No, not yet.”

He explains that GDPR-compliance isn’t the top priority for many GCC businesses, especially given that many of them don’t have European customers. 

Still, GDPR compliance is about more than just abiding by a regulator’s laws. In fact, it leads to healthy data management and cybersecurity habits among businesses, Schück confirms.

As for the simplest forms of non-compliance, he explained: “From the PR secretary at the front desk, to anybody within an organization writing down something, leaving it on the deck – that’s GDPR non-compliance. There is a process that needs to be followed regarding how you get that piece of information, how you store it, whom you write it for, etc. That’s the most difficult part of the GDPR process, I believe.”

With GDPR in mind, businesses can get into the habit of adopting better data management practices, which benefits both themselves and their consumers in the long run. 

So while the GCC has been a bit muted in terms of GDPR compliance, it’s better to be safe than sorry.

“Simply put, GDPR is working,” Danny Allan, VP, Product Strategy at Veeam, commented. “We can expect to see more fines, harsher penalties and further efforts to expose incompliance. We will also see a shift in the way organizations use personal data – the lifeblood of businesses in the digital era.”