The General Data Protection Regulation or GDPR is a data protection law that requires all organizations operating in European Union (EU) member states to comply with the laws on securing the personal data of those residing in the EU. This law came into effect on May 25, 2018, and standardizes data privacy laws in Europe.
The law also allows European citizens to have more control of their personal data. Under this law, organizations should ask their customers whether they agree to be governed by the privacy policies and consent of GDPR.
Organizations are further required to conduct a Data Protection Impact Assessment (DPIA) for projects that bear a high-risk potential. Many countries that operate under GDPR aren’t strict when it comes to enforcing the requirements of GDPR. Only 68 countries have been fined from the time GDPR became effective. Ireland issued only four fines despite being the home of Big Tech in Europe.
On the other hand, Twitter only received one fine. Out of the 323 sanctions issued in 2020, Spain and Italy received more than half. Italy has the highest number of fines issued from the time the GDPR became effective. Spain was ranked fifth after Germany, France, and Great Britain.
Italy And Spain More Dedicated To Enforcing GDPR Rules
Experts say that Italian and Spanish DPAs issue fines that are proportional to the volume of damage and the size of the company. Regulators in these countries also resolve cases quickly regardless of whether an organization is large or small. For example, out of the 39 fines issued by Italy’s DPA, three of them were over 1 million Euros. Twenty fines were 10,000 Euros and below. Spain is more conservative when it comes to issuing fines.
Out of the 133 fines issued in 2020, only one was 5 million Euros, the others were less than 10,000 Euros. Furthermore, ever since GDPR came into effect, only four fines were more than 100,000 Euros. According to experts, people are beginning to suspect that Spanish regulators are only going after open and close cases. These are cases that cannot be challenged because the violations are clear.
However, the Spanish DPA recently increased the intensity of their operations, issuing a 6 million Euro fine against CaixaBank. The approach by Spain and Italy discourages non-compliance.
How UK And France Implement GDPR
When compared to the UK and France, Italy and Spain have issued more sanctions and fines when implementing GDPR. Regulatory authorities in the UK and France only issue few and high individual fines. This means if you aren’t a global or giant brand, the chances of being penalized are pretty slim. Furthermore, many large fines are appealed, which negatively impacts the resources of enforcement teams and their power to issue more penalties.
It’s Too Early To Compare GDPR Implementation Approaches
According to Jane Sarginson, an attorney at a law firm, St. Philip Chambers, the size of a sentence or amount of fine issued doesn’t matter. Sarginson doesn’t believe that the approaches adopted by Italian and Spanish DPAs are any different from those taken by other DPAs.
Instead, Sarginson affirms that the country with the best approach is the one with the highest notifications of complaints and violations. This shows that the citizens in this country have a good understanding of privacy breaches. Research by DLA Piper puts Ireland, Denmark, and the Netherlands ahead of other countries, with Italy and Spain among the bottom six countries.
Furthermore, Sarginson argues that actions such as strikes, warnings, prohibiting data processing, and regulating changes to processes are more effective at discouraging violations than fines. Sarginson believes the best way to gauge a regulator’s success is whether they have succeeded in changing the mentality on data privacy to encourage compliance and self-reporting.
He adds that the way EU member countries apply and implement GDPR varies, and it’s only when this variation is reduced that one can compare the enforcement approaches of different countries.
Winding It Up
GDPR is a set of regulations that ensure data protection. These laws affect European Union member states. Although many believe Spain and Italy have shown more dedication to enforcing GDPR laws than other countries, some argue that ranking the countries that have the best record of enforcing GDPR rules isn’t possible at this point and only based on conjecture. This is because all of the member countries have varied ways of implementing GDPR rules.
The main steps involved in enforcing these rules involve informing clients about their right to consent to these regulations and appointing a data protection officer (DPO) to supervise your data protection strategy and make sure you comply with GDPR rules. Failing to appoint a DPO amounts to non-compliance and can subject your company to a fine.
You’re also required to report breaches that may lead to unlawful or accidental destruction, alteration, loss, and disclosure of personal data. It will be interesting to see how European Union member states improve their implementation of GDPR regulations in the coming months.