Now into the third year of GDPR, questions are being asked about what change it has brought about. This article notes there have been around 340 GDPR fines totaling approximately $180 million over the last two years. However, two of the largest fines amounting to a combined $350 million are still to be confirmed in the coming weeks — British Airways ($229mn) and Marriott ($123mn).
The fines are notable, especially if the BA and Marriott penalties stick. But two years into its existence, two of the biggest impacts of GDPR could be the way in which it has helped raise public awareness of privacy issues, and the fact that it has created a common regulatory position on the topic. Big tech companies—especially the data brokers like Google and Facebook—initially lobbied against the regulation, warning amongst other criticisms about the hindrance it would place on innovation. But this has not come to fruition.
It remains to be seen how much the landmark regulation has changed the privacy and data protection practices of companies. Despite increasing proclamations from companies like Apple and Microsoft about data privacy as a human right in need of comprehensive legislation at a federal level, no such bill is in sight in the US.
Data is today’s most valuable asset, yet it continues to go largely unregulated. As we have highlighted before, well enforced regulation of how data is used and how well it is managed by companies is still needed as a pillar of the digital transformation that dominates the global economy.