The European General Data Protection Regulation, GDPR, came into force one year ago, on May 25, 2018.
During this initial period, we have expressive numbers of the impact of the new legislation, as presented by the International Association of Privacy Professionals – IAPP.
More than 56 million euros have already been counted in fines, equivalent to approximately R$ 257 million. Under the terms of the GDPR, the fines imposed on companies in breach of their terms may range from 2% to 4% (depending on the size of the organization) of the company’s total revenues in the previous year. It should be noted that this criterion is not restricted to the revenues of the territory where the penalized company is located (as it is in the Brazilian LGPD), but it encompasses the organization’s global turnover.
In addition, more than 64,000 data breaches were reported to competent Data Protection Authorities (DPAs). Besides that, more than 94,000 individual complaints were filed, questioning the way in which the personal data is handled by controllers. Among the most common issues are: (a) employee privacy, unsolicited marketing, illegal treatment, and requests for access and / or deletion of data. Lastly, indications are that the GDPR has created new positions on the European continent already in its first year of validity: more than 375,000 Data Protection Officers have been registered with data protection bodies, with emphasis on Germany, France, Italy, the United Kingdom and Spain.
From the regulatory point of view, it is worth noting that the preparation of guides for by the European Data Protection Board is still expected in 2019 on the application of the GDPR to specific themes such as connected cars, personal data of children, video surveillance, codes of conduct and certifications, among others.