Inbound Marketing: How to Turn Your Site’s Visitors into Customers
What is inbound marketing? Can you apply it to your online business? How do you implement it effectively? To find out, keep on reading!
Since May 25, 2018, the General Data Protection Regulation (GDPR) has been in force within the European Union. The main goal of the regulation was to strengthen the protection of EU citizens' personal data, adapt legislation to the rapidly evolving digital reality and harmonise data protection rules across the Union. Six years on, it´s time to evaluate the impact the regulation has had, what challenges have been faced and what the perspectives are for the future.
Table of contents:
Achievements of the GDPR
Strengthening Data Processing Rights for EU citizens
The GDPR has significantly increased EU citizens' awareness of their data protection rights. Key rights, such as the right of access, the right to data portability and the right to delete personal data (also known as the "right to be forgotten") are now firmly established and are increasingly being used. As a result, EU citizens have more control over their personal data and can better understanding of its processing and use.
Increase in transparency
The GDPR has forced companies operating in the EU to be more transparent about the processing of personal data. Data controllers must ensure that users are informed in detail about the purpose of data collection, the duration of data storage and their rights as affected persons. This gives users a better insight into the processing of their personal data and enables them to make more informed decisions.
High fines for offences
A notable feature of the GDPR is the severe fines for non-compliance. Companies that break the rules can be fined up to €20 million or 4% of annual global turnover, whichever is higher. These strict sanctions have encouraged companies to take data protection seriously and enhance their compliance efforts. Prominent cases, such as the substantial fines against Google and Facebook, show that the supervisory authorities are prepared to take consistent action in the event of offences against the GDPR.
Standardised data protection framework in the EU
Before the GDPR, there were a large number of different data protection laws in the EU, which made cross-border data traffic and cooperation difficult. The GDPR has created a standardised legal framework that simplifies this enormously. Companies no longer have to adapt to a variety of national regulations, and can now rely on a standardised framework.
Challenges of the GDPR
Complexity and implementation costs
Many small and medium-sized companies are struggling with the complexity of the GDPR and the related costs. The requirements for documentation and proof of compliance are often difficult to fulfil, especially for companies that do not have the necessary resources. This has led to many companies becoming overwhelmed and poses a barrier to fully implementing the regulations.
Enforcement and monitoring
Although the GDPR provides for strict sanctions, the enforcement is not always effective. Many national data protection authorities are not sufficiently staffed or financed to consistently prosecute all offences. This in turn can lead to inequalities in the enforcement of sanctions in the different EU countries.
Extended information clauses
One problem that is often mentioned is the extensive information terms that companies have to include at "every opportunity", which are often ignored by everyone except data protection lawyers. Unfortunately, the perceived information function sometimes turns out to be slightly illusory. It only becomes relevant in the event of a dispute or complaint from the person concerned. Some business representatives argue that instead of publishing a "wall of text" at every opportunity, data controllers should provide easy and constant access to this information when its actually needed or requested by the affected individuals.
Major fines
Shutterstock/VideoFlow
A total of 2,086 offences and fines amounting to almost 4.5 billion euros - that is the six-year record of GDPR offences in the EU according to an analysis by the law firm CMS, based on data collected from the GDPR Enforcement Tracker database.
The UK has so far imposed a total of 15 fines under the GDPR, amounting a total of over € 75 million. These fines cover various types of offences, with some prominent cases resulting in lager penalties. One of the highest fines in the UK was imposed on British Airways, which had to pay £ 20 million. This fine was due to security deficiencies that led to a significant data breach, compromising the personal data of around 400,000 customers. Another notable case involved the Marriott International hotel chain, which also received a fine of £ 18.4 million due to a major data breach.
German companies have incurred 186 violations, resulting in fines totaling € 55 million, with the largest fine being € 35 million imposed on H&M for inadequate legal grounds for data processing.
When comparing GDPR fines across countries in Europe, Ireland leads with the highest total fines, amounting to over €2 billion, primarily due to large penalties against major tech companies. In contrast, the Netherlands is at the bottom of the top ten list with total fines of € 25 million.
Regarding the number of individual fines, Spain leads with the highest count of 881 fines in total. With just 15 fines the UK has a significant lower total fine and ranks at the bottom of the top ten.
Meta is by far the EU leader in GDPR offences. The company is responsible for six of the ten highest fines - four for Meta, one for Facebook and one for WhatsApp. In 2023, the most serious offence will cost Meta €1.2 billion due to an inadequate legal grounds for data processing.
However, other large companies have also already been sanctioned: in 2021, Amazon had to pay €746 million to the data protection authority in Luxembourg. In the same year, Google was sanctioned twice for non-compliance with the general principles of data processing, with fines totalling €150 million. TikTok had to pay around €345 million for similar offences against the GDPR in 2023.
With 635 cases since 2018 and fines totalling €1.6 billion, the most common cause of fines is an inadequate legal grounds for data processing, closely followed by non-compliance with the general principles of data processing with 578 cases and total costs of €2 billion.
A look into the future
Adapting to new technologies
The rapid development of new technologies presents new challenges for the GDPR. Artificial intelligence, cybersecurity, big data and the Internet of Things raise questions that are not always clearly answered by the GDPR. In order to keep pace with technological progress, new guidelines from data protection supervisory authorities and new EU regulations will have to address these issues more closely in future.
International cooperation
International cooperation in data protection is essential for effective and secure cross-border data transfer. For this reason, the EU is increasingly seeking agreements with third countries in order to promote a comparable standard of data protection and facilitate cross-border data. Such agreements aim to ensure that personal data is adequately protected even outside the EU.
In July 2023, the European Commission adopted a long-awaited adequacy decision for the EU-US data protection framework (EU-US Data Privacy Framework). This establishes that the United States will ensure an adequate level of protection comparable to that of the European Union for personal data transferred from the EU to US companies within the newly defined framework.
Stronger support for small and medium-sized companies
To make it easier for small and medium-sized companies to fulfil the GDPR, additional support and awareness-raising measures by the data protection supervisory authorities and industry-specific trade associations would be useful. In addition to special training programmes, this could also include the development of cost-effective compliance tools that are individually designed to fit the needs of smaller companies.
Conclusion
Six years after its implementation, the GDPR has profoundly changed the landscape of data protection in Europe and beyond. It has strengthened consumer rights, contributed to greater transparency and ensured that companies take data protection seriously through high sanctions. Despite these successes, challenges remain, particularly in terms of regulatory complexity, enforcement and adapting to new technologies and the constantly changing digital world. Through international cooperation and targeted support for small and medium-sized enterprises, the GDPR can remain an effective tool for protecting data rights in an increasingly digitalised world.
