GDPR One Year Later: A Data Privacy Retrospective

On May 25, 2018 the EU’s GDPR went into effect. This was, by far, the most aggressive and sweeping privacy law the world had seen in years. New requirements including: a) responding to individual rights requests within 30 days unless certain criteria are met, and b) filing with regulators within 72 hours of a personal data breach, were just a couple of the most pressing obligations companies are required to address. 
 
Over the last year, fines have been wide-ranging and have varied from country to country. Companies of all sizes across different industries have been caught in the crosshairs of the regulators, including but not limited to:

 
ADV_CCPA_GDPR-one-year-later_5-19_icons_knuddels.png Knuddels.de

Fined €20,000 (~$22,500) by the German Data Protection Authority (DPA) following a breach that exposed personal information of 330,000 users, including passwords and email addresses
   
ADV_CCPA_GDPR-one-year-later_5-19_icons_facebook.png

Facebook

Fined £500,000 (~$652,000) by the UK’s Information Commissioner Office (ICO) for the Cambridge Analytica scandal, which allowed illicit access to personal data of 87 million users.
   
ADV_CCPA_GDPR-one-year-later_5-19_icons_britishtelecom.png

British Telecommunications

Fined £77,000 (~$100,000) by the UK’s ICO for sending approximately 5 million unsolicited marketing emails. 
   
ADV_CCPA_GDPR-one-year-later_5-19_icons_google.png

Google

Fined €50 million (~$57 million) by the French Commission Nationale de l’informatique et des Libertés (CNIL) for not properly disclosing to users how data was collected across its services to provide personalized advertisements.
   
ADV_CCPA_GDPR-one-year-later_5-19_icons_yahoo.png

Yahoo!

Fined £250,000 ($326,000) by the UK’s ICO for an attack that took place in 2014 where contact information and passwords of 500 million users were exposed.
   
ADV_CCPA_GDPR-one-year-later_5-19_icons_equifax.png

Equifax

Fined £500,000 (~$652,000) by the UK’s ICO for a 2017 breach that allowed hackers to steal sensitive financial information from approximately 15 million users.
 

Please see our latest insight to review what actions companies are taking to improve their data governance and privacy compliance programs, as well as what they are doing to prepare for the influx of new privacy regulations, including California Consumer Privacy Act.

Related Resources

Article

Healthcare Security in 2024: The Cyberthreat Landscape

April 5, 2024
Article

Healthcare Security in 2024: The Cyberthreat Landscape

April 5, 2024

Locked out from critical files and information, cybercriminals hold the organization hostage while demanding a payment in exchange for a decryption key to unlock the files and restore access to vital systems.

Read More

Article

PCI DSS Version 4.0 Resource Center

March 13, 2024
Article

PCI DSS Version 4.0 Resource Center

March 13, 2024

The Payment Card Industry Security Standards Council released version 4.0 of the PCI Data Security Standards on March 31, 2022. To help provide an overview of important updates to specific areas of the PCI DSS, BDO has created a series of documents that highlight new and upcoming changes.

Read More

Article

2024 Shareholder Meeting Agenda

March 5, 2024
Article

2024 Shareholder Meeting Agenda

March 5, 2024

As boards prepare to meet increasing demands for transparency during the upcoming proxy season and shareholder meetings, BDO’s 2024 Shareholder Meeting Agenda presents the top challenges and opportunities that boards and management teams should consider.

Read More

Article

Audit Committee Priorities for 2024

February 26, 2024
Article

Audit Committee Priorities for 2024

February 26, 2024

Organizations will continue to face economic uncertainty, regulatory changes, emerging technology, sustainability, and labor market challenges in the coming year.

Read More