Sep 18 2018

The Summer of GDPR: Reflecting on the first 90 days

On May 25, the countries of the European Union entered into a brave new world. The sweeping new General Data Protection Regulation (GDPR) went into full effect. GDPR was hailed as a win for personal privacy when it comes to how a company handles your data, but as with any new laws, there is a period of adjustment. Companies may struggle to be fully compliant, either due to lack of preparation or a lack of comprehension. It’s worth a look back over the first three months of life with GDPR to see what has worked and what has not.

In terms of what has worked, Europeans are likely happy. The purpose of GDPR is to control what data companies can access and how they can use it. It was intended to provide a clear understanding of privacy rights for citizens and allow them a better way to file complaints if they suspect or know that their private information is being misused or abused. In this day and age, where many companies are collecting and selling our data, this has to be seen as a big step forward, and perhaps GDPR becomes the template for similar legislation outside of the EU.

The GDPR, in making it easier to file a complaint, also established tiered penalties for offending companies, and they are quite severe. If found to be a lesser offense, the company in violation would be fined 2% of its annual revenue or 10 million Euro, whichever is greater. If that violation reaches the next tier, the fine doubles to 4% of annual revenue or 20 million Euro, also whichever is greater. This provides a harsh penalty, making any company that handles data in Europe to take greater care of it and ensure it does not do anything to generate a complaint. To be found in violation of GDPR could be quite costly.

With this price tag on violations, privacy groups were certain to waste no time in filing complaints against some of the biggest companies out there. For example, within hours of GDPR coming into effect, an Austrian privacy group, “None of Your Business,” filed suit against Google, Facebook, Instagram, and WhatsApp. If the complaints are found to be valid, the total fines could reach $9.3 billion ( Similarly, a French digital rights group “La Quadrature du Net”, went after its own big targets, filing complaints against Apple, Amazon and LinkedIn. It later added complaints against Gmail, YouTube and Search, with these complaints going after the larger Alphabet/Google umbrella. The group kept going, later adding Skype, Android and Outlook to its list (

It’s clear, at least in the early goings, that these privacy advocacy groups are intent on looking at the biggest companies. This plan likely makes sense on a number of fronts. Bigger companies, such as Alphabet, Apple, and Microsoft, have many different brands and reach millions of users a day. As such, there are millions of data records being handled, and that’s a lot of opportunities for violations to occur. Additionally, each of these companies also has a fair bit of wealth at their disposal – thus, fines, if levied, would not be crippling to the companies and would be paid out. While some firms filing complaints are non-profits, some businesses are creating new business models, seeing the fines as a possibly lucrative money-making opportunity.

Outside of the penalties, IBM performed research (  ahead of the go-live date. By enacting GDPR, companies have taken notice and changed how they handle data. Many companies indicated they would collect or retain less data. Others would store data for shorter periods of time. Further, companies acknowledged that they would ensure fewer employees had access to the personal data. All of these are indications that, at least early on, GDPR is having a positive effect as it pertains to data protection. It will be interesting to observe as complaints continue to be filed, and as those complaints are reviewed and ultimately ruled on, to see which companies are hit hardest and how businesses react and respond.