There is no question that the EU’s General Data Protection Regulation (GDPR) has been one of the most feared, anticipated, and talked about set of regulations. Now, more than a year after GDPR was introduced, we can see the impact it has had on the way companies do business.
Enforcement of GDPR
The GDPR’s maximum fine of €20 million or 4% of annual global turnover, whichever is higher, is no doubt a steep price that businesses would like to avoid. But some have questioned how strictly the penalty will be enforced if at all.
The first year after the introduction of GDPR saw 144,000 complaints, 89,000 data breach notifications, and $63 million issued in fines. The lion’s share of the fines ($57 million) was paid by Google for not obtaining users’ consent to use their data in ads. Most of the fines issued ranged in the tens of thousands with a few running into the hundreds of thousands.
However, many of the European regulatory bodies were actually in a period of leniency for the first year, after that, we saw other big names get hit by record fines. British Airways was fined £183.39 million ($228.64) which amounts to 1.5% of their annual global turnover for an earlier, highly publicized data breach that affected 500 million of its users. A couple of months later, PwC, one of the big four accounting companies was fined €150,000 for using their employees’ data commercially without their consent. It is worth noting that PwC was known for being one of the first companies to help their clients with GDPR compliance.
Impact on businesses
According to a survey by the International Association of Privacy Professionals, less than 50% of businesses are GDPR compliant, but 76% of respondents believe they must comply and are taking steps towards that. The average spend for a company that is trying to become GDPR compliant was $3 million with 65% saying that they feel their budget is not enough.
The hype around GDPR along with the many data breach incidents and data abuse scandals has also helped to raise user awareness about their data and privacy rights. This serves as an additional reason for companies to comply with the GDPR. The job search site Indeed reported a 700% increase in vacancies for the position of DPO between April 2016 and December 2018. The IAPP report also revealed that while 75% of companies said that they have a DPO, 48% said that they were not required to but did so because they have a valuable purpose in the company.
This could signal a shift in the way businesses think about user privacy and security. Whether they were spurred on by the GDPR or not, there are several other security and privacy regulations, like California’s CCPA and Brasil’s LGPD, that are expected to come into effect in the coming years. While we might not be at the golden age of data privacy yet, the pre-GDPR days are certainly over when it comes to collecting user data.
Choosing compliant SDK vendors for your mobile app
There is undeniable progress in the response of businesses to the GDPR and companies are becoming more compliant every day. However, 56% of businesses surveyed by the IAPP were not GDPR compliant, and 19% believed that compliance is not even possible. And users are also still wary of sharing their data, with 45% of EU users saying they still don’t feel confident in their internet privacy.
Since mobile apps are responsible for the data gathered by their SDKs, this is not good news for mobile apps who, according to SafeDK, integrate 18.2 of them on average. Since research has shown that one in four companies was easily tricked into disclosing personal information coming from a fake email, companies should not be satisfied with just a statement of compliance and must choose their vendors wisely.
As a “data controller” under GDPR, it is the duty of mobile apps to find out exactly how their SDKs collect, transmit, and store data. But that is not enough, you also need to find out the processes they have in place for data access or deletion, and their security measures and protocols for access and processing of data. SDKs that have taken, or are taking the steps to comply should have no problem sharing their privacy and security practices with you.
The GDPR might not have been an overnight revolution in the way people view and handle user data, but it has undeniably changed both businesses and consumers. And with new data privacy regulations expected to go into effect soon in several countries, the privacy and security of user data will only gain in prominence. With time, good privacy and security practices will be required even if you don’t have any users from the EU.
- Instabug for Enterprise: The Most Secure Bug Reporting and Feedback Solution for Mobile Apps
- Mobile App Cloud Deployment Models for Enterprise-Level Security
- How DevSecOps Can Help Your Mobile App Be CCPA and GDPR Compliant
- Beta Test Privacy and Security: What You Should Consider
- What Beta Test Legal Agreements Do You Need for Your Mobile App?
- Advanced Customization Tips for Instabug’s SDK