Comply with GDPR or pay hefty fine
The General Data Protection Regulation has been in effect for more than four years. That sound like a lot. We could think that ample time get all the codified rules implemented. Let's rejoice at the feeling of newfound privacy.
GDPR, with its fines, is a strong deterrent. Right?
Spoiler alert: It isn't. But believe us, it should.
Challenge
Unfortunately, we are far from reaching satisfactory levels of proper attention paid to our Personal Data.
We challenge you to pick an Internet website which you frequent. Don't press Accept on Cookie Banner just yet. We know it is distracting, and it made the site unusable in the first place.
In the browser, open the inspection tool and view traffic and cookies generated. If you don't know what we are talking about, don't worry.
We can almost guarantee you that the site you visited broke the law.
Even without knowing which site it was, we can guess:
- The Consent Form (aka Cookie Banner) has faulty implementation and sets cookies even if you decline.
- That is if you are lucky enough to have a clear Decline option in the first place.
- Lastly, under the pretext of necessary functionality, you might still end up being exposed to spying, say by Google.
The website owner is also for sure not malicious nor of criminal intent. The owner of the previously mentioned hypothetical Internet property is doing that for a few reasons.
GDPR is infamous for complicated language and its general complexity. Given its far-reaching impact on everyone in the EU and beyond, it should be more straightforward. We envy the quality of GOV.UK documents created under curated guidelines. The cottage industry of experts that emerged around this legislation amplifies the confusion.
The Cookie Banner is likely a third-party tool. The vendor assured us that the software is GDPR compliant. We are getting business off the ground and are growing towards the next stage. We take this assurance at face value because dissecting complex legislation feels not inside of our core competency.
The business just took off, and competition is fierce. The organization needs help, so the marketing, sales or operation team enables Google Analytics. It is free. It feels like a no brainer. Immediate feedback gives the business perception that it was a win. However, there were warnings on Google's website. The IT folks will deal with it later.
What comes next is either one or multiple stages of denial like:
- GDPR is a scarecrow; nobody gets fined.
- We are small. Nobody will notice.
- Everyone does it.
If you are using any of these three types of justifications, we suggest you revisit your priorities.
GDPR is a scarecrow; nobody gets fined
It is only February 2022 and the total amount of fines applied in the year 2022 amounts to €17 813 100.
In the year 2021, that amount reached astonishing €1 304 648 113. That is a hefty increase from €171 582 286 in 2020.
Penalties for GDPR violations and resulting fine are a norm
Thus far, a total of 964 fines have been issued. And authorities are picking up the pace.
We are small; nobody will notice
In 2021, the number of fines under € 20K reached 248. The list of offenders included:
- Travel Agency,
- Private Individual,
- Physician,
- a university,
- and multiple private SMEs.
It is safe to say that there is no such thing as too small when it comes to enforcing Articles of GDPR.
Everyone does it
This argument is contentious, as you can imagine. We proved that a lot of businesses get caught violating the rules. A lot of others fly under the radar. And there are many of those who make the best effort to address the legal requirements.
The question is to you, do you value running a compliant business?
What can you do?
There is no easy way out. No Get out of the Jail Card. The cost of running a business is an adherence to the laws it operates in. Compliance with Data Protection regulations should not be an aspirational goal. It is your responsibility.
Fine statistics have been sourced from GDPR Enforcement Tracker.