On May 25, the European Commission celebrated the first anniversary of the implementation of the EU’s General Data Protection Regulation (GDPR). The Commission underlines that over these 12 months, the GDPR has served “to empower people and help them to gain more control over their personal data”. It also adds that companies benefit from this regulation since it has meant that they have had to put their data in order, and this in turn has improved their cybersecurity and has increased customer trust.

European Commission Eurobarometer: Awareness of the GDPR

 

Besides this, the Commission also wanted to spotlight citizen awareness of the regulation: according to data provided by Eurobarometer, 67% of Europeans have heard of the GDPR, and 57% know that in their countries, there is a public authority in charge of protecting their personal data. This means that awareness has increased 20% since 2015.

Citizens respond to the GDPR

However, beyond awareness of the regulation, it is worth asking whether citizens have exercised their data protection rights. To illustrate this point, the European Data Protection Board (EDPB) has gathered some statistics: member states have attended a total of 144,376 queries and complaints related to the regulation, and have reported a total of 89,271 data breaches. Among the most notable complaints are the illegitimate use of citizens’ data in telemarketing campaigns, CCTV recordings made without the appropriate notification, and, of course, the use of data fro email and spam campaigns. But, what about companies?

The law takes action

Despite the above figures, there have been some serious breaches of the GDPR by several large organizations that, as a consequence, have received hefty fines from national authorities. These fines could be up to €20 million, or 4% of the company’s global annual turnover. In total, the fines given out so far add up to €56 million. Among the organizations that have been fined are such important companies as Google: the French regulator fined the tech giant for a lack of transparency, inadequate information and lack of valid consent regarding ad personalization.

But smaller companies aren’t immune: a Polish company was fine €220,000 for gathering company and personal data without express permission And in November 2018, the authorities in the German state of Baden-Württemberg levied a €20,000 fine on a social network provider, the name of which wasn’t revealed publicly. The German press, however, attributed the problem to Knuddels, an online chat service that suffered a cyberattack in which 808,000 email addresses and 1,872,000 user names and passwords were exposed.

How to protect personal data?

During its first year, we’ve seen that breaching the GDPR can have grave consequences for organizations. And not just from an economic point of view; a company’s reputation can be seriously dented, since customer trust will be deeply affected.

This is why, in order to help organizations to comply with the GDPR, one of the key recommendations is the use of advanced technologies, such as the module Panda Data Control, integrated in the Panda Adaptive Defense platform.

This solution provides security, visibility and control for users’ personal data in real time. Among the most important features is its powerful customizable search engine; it is able to locate files that contain a particular user’s data under any search parameter. It can also discover, audit and monitor unstructured personal data (data that isn’t in a data base or any other structured format).

It also hugely simplifies management: it is native in Panda Adaptive Defense, which means that it requires no extra deployment or complex configuration.

Finally, it allows heads of organizations, DPOs, and other employees to demonstrate that the company has strict control over the personal data stored on its computers, how they operate, and how the data is moved about. Panda Data Control is therefore a solution that helps companies to avoid the serious consequences that stem from breaching the GDPR, making life easier for those responsible for the protection of the personal data stored by the company.