It’s more than one year since the European General Data Protection Regulation (GDPR) was introduced. As we know, the regulation was meant to unify the existing legislation of individual EU member states, and to better protect and empower citizens’ data privacy. Most public and private organisations struggled to comply with GDPR obligations, and this was particularly challenging for small and medium enterprises. However, we might be quite satisfied with overall results up to date.

According to independent studies in different EU countries, public awareness of data protection rights under the GDPR is high, and confidence in organisations that store and use personal information has grown. In the UK, over 90% of data privacy officers reported that their company had a full accountability framework in place, and about 66% received great support in developing a framework to embed accountability rights into their organisation.

A peculiar requirement of GDPR is data breach reporting: any organisation should notify the supervisory authority within 72 hours of becoming aware of the breach, where feasible. According to DLA Piper, over 59,000 data breaches have been reported across EU since the GDPR came into force, with the Netherlands, Germany and the UK topping the table [Note: we need to be careful in commenting this figure, as DLA Piper highlights that not all EU members disclosed their own information].

It is interesting to notice that incidents range from minor breaches, such as e-mails sent to the wrong recipients or distribution lists, to significant cyberattacks. The UK was among the countries with the highest number of notified data breaches: of the 14,000 reported cases, only 17.5% required action from the organisation and less than 0.5% led to either an improvement plan or a civil monetary penalty.

The same report points out that less than 100 fines have been imposed under GDPR. The most important infringement? Against Google in January 2019, with € 50 million fine imposed by the French authority in relation to the processing of personal data for advertising purposes without valid authorisation.

For IT departments, GDPR was probably an additional workload, as the new regulation imposed a closer cooperation with other corporate functions (starting from HR and customer-facing teams) and affected how IT services are delivered and tracked over time. GDPR obligations also turned out to be an opportunity to improve IT processes and put privacy and data protection at the core of IT decisions.