First came GDPR, and then Brexit burst onto the scene, followed closely by Covid-19. All in all, it has been a strange few years, but it’s worth mentioning that grand events also bring with them grand changes, some of them even positive. Covid-19 has sensitised us to wellness, resilience and mental health, and Brexit has re-opened discussions on immigration, independence, and investment. What, then, has GDPR given us?
It has certainly changed the face of HR on a very practical level. Compliance has become second nature to HR people across the land and sensitivity to personal data is part of the job description, which can only be a good thing. New departments have arisen that have changed the HR landscape. To illustrate, Legaljobs reports that in 2017 there were around 83,000 data protection officers on the market. Today, we have over half a million DPOs with HR professionals needing to work hand-in-glove with this growing number of GDPR compliance enforcers.
It is hoped that the amount banks have had to spend in implementing GDPR procedures will be a one-off. New guidelines and developments in technology, however, will mean that compliance continues to be top of our HR checklist.
In fact, GDPR requires the establishment of a DPO in three situations; two of them when large-scale activities are undertaken such as the regular large-scale monitoring of data subjects or the large-scale processing of special categories of personal data (sensitive data or data regarding criminal convictions and offenses). The final situation concerns data processing by a public authority.
It is useful for HR to note that in every other case the appointment of a DPO is optional, yet many companies decide to do so anyway. Why is that? Taking into account the fact that GDPR is a relatively new legislation and that there are a host of other legal regulations, guidelines and policies also coming into force, DPOs often demonstrate an extremely broad knowledge of the subject and an ability to efficiently react to changes in the business environment. With demand for DPOs rising to over 700% at present, HR departments will inevitably need to continue recruiting.
The cost of compliance
Like it or not, GDPR has been a burden on the finances of companies. Estimates vary, but a 2020 PwC report found that 88% of organisations that had already completed their GDPR compliance preparation had spent more than $1 million on it and 40% had spent over a whopping $10 million. In fact, to date, over $9 billion has been spent on GDPR compliance.
If spread over sectors, one industry seemed to be disproportionately hit with GDPR costs. According to Statista, the banking sector had to fork out €79 million for GDPR implementation. This will continue to place a greater burden on our HR colleagues in this sector.
Banking’s position as a top GDPR compliance spender should come as no surprise though. The legal regulations surrounding the industry are extremely strict, not only in terms of personal data protection, but also with regard to the AML/CFT i.e. anti-money laundering/combating the financing of terrorism.
It is hoped that the amount banks have had to spend in implementing GDPR procedures will be a one-off. New guidelines and developments in technology, however, will mean that compliance continues to be top of our HR checklist. Compliance never sleeps.
The cost of non-compliance
Interestingly enough, the sector in second place with regards to GDPR compliance spending, technology and telecoms, invested a measly €24 million (if compared to the banking sector’s $79 million).
Spending on GDPR compliance takes on greater significance if we look at the fines shelled out for non-compliance. The first ever GDPR fine to range in millions was issued to one of Germany’s largest internet and mobile providers, 1&1 Ionos. The penalty was close to €10 million. Moreover, the largest GDPR fine of €50 million was imposed on Google. Both of these companies were from the technology and telecoms sector. To date, GDPR fines have totalled approximately €360 million. So in short, it pays to pay for compliance.
Let us not forget that before the GDPR era, the protection of personal data in tourism, healthcare or internet-based services simply did not exist. Today, every entrepreneur who has any form of contact with personal data is acutely aware of the fact that this data must be protected. The fines imposed by the supervisory authorities have certainly contributed to this.
Appointing a DPO and increasing cooperation at the cross-section of personal data protection and HR can certainly give companies some level of comfort. What’s more, it can also be an important argument in the event of violations and something that is looked upon in a positive light by the authorities. HR should not forget, however, that entrusting personal data protection to a DPO does not release the company from liability for breaches. Most recently, the Dutch Data Protection Authority imposed a €475,000 fine on Booking.com because the company took too long to report a data breach – 25 days instead of 72 hours.
Interested in this topic? Read GDPR: coping with the epidemic rise of subject access requests.