GDPR One Year Later: A Data Privacy Retrospective

On May 25, 2018 the EU’s GDPR went into effect. This was, by far, the most aggressive and sweeping privacy law the world had seen in years. New requirements including: a) responding to individual rights requests within 30 days unless certain criteria are met, and b) filing with regulators within 72 hours of a personal data breach, were just a couple of the most pressing obligations companies are required to address. 
Over the last year, fines have been wide-ranging and have varied from country to country. Companies of all sizes across different industries have been caught in the crosshairs of the regulators, including but not limited to:


Fined €20,000 (~$22,500) by the German Data Protection Authority (DPA) following a breach that exposed personal information of 330,000 users, including passwords and email addresses



Fined £500,000 (~$652,000) by the UK’s Information Commissioner Office (ICO) for the Cambridge Analytica scandal, which allowed illicit access to personal data of 87 million users.


British Telecommunications

Fined £77,000 (~$100,000) by the UK’s ICO for sending approximately 5 million unsolicited marketing emails. 



Fined €50 million (~$57 million) by the French Commission Nationale de l’informatique et des Libertés (CNIL) for not properly disclosing to users how data was collected across its services to provide personalized advertisements.



Fined £250,000 ($326,000) by the UK’s ICO for an attack that took place in 2014 where contact information and passwords of 500 million users were exposed.



Fined £500,000 (~$652,000) by the UK’s ICO for a 2017 breach that allowed hackers to steal sensitive financial information from approximately 15 million users.


Please see our latest insight to review what actions companies are taking to improve their data governance and privacy compliance programs, as well as what they are doing to prepare for the influx of new privacy regulations, including California Consumer Privacy Act.