Read the official GDPR law text here.<\/a><\/p>\n\n\n\n Special Eurobarometer from the EU Commission available here<\/a>.<\/p>\n\n\n\n If you have a website, you most likely have cookies and tracking technology operating on your site and you are therefore required by the GDPR to comply to its rules.<\/p>\n\n\n\n This includes:<\/p>\n\n\n\n In doubt whether your website is GDPR compliant? Test with the free compliance test from Cookiebot consent management platform (CMP)<\/a><\/p>\n\n\n\n Try Cookiebot CMP free for 14 days<\/a>... or forever if you have a small website.<\/p>\n\n\n\n If you have a website that provides services to the EU, you are legally bound to be compliant to the GDPR.<\/p>\n\n\n\n This means that you must follow its requirements for how to handle user data and personal information.<\/p>\n\n\n\n Using a consent management software like Cookiebot CMP can make you 100% GDPR complianct.<\/p>\n\n\n\n Sign up and try for free today<\/a>.<\/p>\n\n\n\n One year into the enforcement of the GDPR, we are slowly beginning to see its impact.<\/p>\n\n\n\n Special Eurobarometer from the EU Commission available here<\/a>.<\/p>\n\n\n\n While fines have been slow to ramp up against companies and businesses who violate the GDPR, its effects can also be seen on new privacy laws springing up around the globe, as well as its role as an instigator of public privacy discussions.<\/p>\n\n\n\n The GDPR can be enforced in various ways, ranging from \u2013<\/p>\n\n\n\n So far, the most common GDPR enforcement has been warnings and fines.<\/p>\n\n\n\n Special Eurobarometer from the EU Commission available here<\/a>.<\/p>\n\n\n\n The sum of GDPR fines one year into its enforcement amount to approximately \u20ac56.000.000, according to the IAPP.<\/a><\/p>\n\n\n\n The average GDPR fine has so far been approximately \u20ac70.000, according to the London-based accounting firm Ernst & Young.<\/a><\/p>\n\n\n\n GDPR enforcement in numbers (infographic by IAPP)<\/a>.<\/p>\n\n\n\n Most of the GDPR enforcement cases so far have been discretionary, i.e. they have been imposed on a case-by-case basis.<\/p>\n\n\n\n The fines differentiate based on the what articles of the GDPR a company violates<\/a>: if it violates its own obligations it will be subject to lower level fines, whereas violations of individual privacy rights will be subject to higher level fines.<\/p>\n\n\n\n Germany, Poland, Denmark, Austria and Portugal are among EU member states that have fined companies or organizations for GDPR violation in this first year.<\/p>\n\n\n\n The French data protection authority CNIL can rightly be called the leading watchdog of GDPR when it comes to both enforcement and guidance so far.<\/p>\n\n\n\n CNIL received over 11.000 complaints in 2018 \u2013 an increase of 32.5% from the year before \u2013 and a large percentage of the complaints has been centered around the GDPR-introduced right to request deletion of personal online data. The French DPA has also been exemplary in guiding companies in GDPR compliance, as well as advising government legislation.<\/p>\n\n\n\n The largest monetary enforcement of the GDPR yet also emerged from CNIL on January 21, 2019, when the French data protection authority levied a \u20ac50 million penalty against Google for three separate GDPR violations<\/a> \u2013 lack of transparency<\/strong> (Article 12), inadequate information<\/strong> (Article 6) and lack of valid consent regarding the ads personalization<\/strong> (Article 7).<\/p>\n\n\n\n The \u20ac50 million fine was the result of an investigation launched on the basis of two group complaints by the privacy associations None of Your Business (noyb)<\/a> and La Quadrature du Net (LQDN)<\/a>, who accused Google of violating the GDPR regarding the processing of personal data, particularly in the case of personalized advertisements.<\/p>\n\n\n\n \u201cFor the first time a European data protection authority is using the possibilities of GDPR to punish clear violations of the law\u201d<\/em>, said the chairman of noyb Max Schrems.<\/p>\n\n\n\n These complaints were put to the French DPA on May 25 and 28 of 2018, that is, on Day One and Day Three of the enforcement of the GDPR. That it took CNIL six months to investigate and enforce, tells us something about the timeframe of larger GDPR enforcement cases\u2026 and might hint at much larger enforcements to come.<\/p>\n\n\n\n Special Eurobarometer from the EU Commission available here<\/a>.<\/p>\n\n\n\n Technically, Ireland has the singular role of being the GDPR\u2019s lead regulator.<\/p>\n\n\n\n Why, you might ask?<\/p>\n\n\n\n Well, because a provision in the GDPR specifies that its lead regulator be the country that houses a tech company\u2019s data controller, and because Ireland is the European headquarters for many big tech companies such as Facebook and Google, who enjoy lax tax arrangements from the Irish government, Ireland has the responsibility of leading the enforcement of the GDPR against the industry\u2019s biggest.<\/p>\n\n\n\n Both the German and French DPAs have expressed their frustrations<\/a> over the Irish DPA\u2019s lack of enforcement.<\/p>\n\n\n\n However, the Irish DPA revealed recently that their office plans to announce enforcement actions this summer<\/a>, adding that they currently have 51 large-scale privacy investigations open, 17 of which involve tech companies like Twitter, WhatsApp, Instagram, LinkedIn and Apple, while 7 cases specifically involve Facebook.<\/p>\n\n\n\n On May 22, 2019 \u2013 three days short of GDPR\u2019s birthday \u2013 the Irish Data Protection Commission (DPC) announced a comprehensive investigation of Google\u2019s DoubleClick company<\/a> (in the meantime rebranded as Authorized Buyers) for \u201csuspected infringement\u201d of personal data processing. The probe was triggered by a formal complaint from Dr. Johnny Ryan, Chief Policy Officer at Brave, the private web browser.<\/p>\n\n\n\n This investigation could lead to severe fines against Google, or even worse for the company: a complete prohibition of using personal data in its advertising system. The GDPR is showing teeth indeed.<\/p>\n\n\n\n A year into the enforcement of the GDPR we\u2019ve mainly seen smaller fines, but have now begun to see larger and larger investigations and fines on the horizon, exactly because the bigger enforcement cases against the biggest industry heavy weights take a long time to build and execute.<\/p>\n\n\n\n This is why privacy experts say that they expect larger GDPR fines are on the way. <\/a><\/p>\n\n\n\n The GDPR authorizes the national data protection agencies to be the chief enforcing bodies of the law. This means that national DPAs can fine companies (up to \u20ac20 million or 4% of their global revenue) or they can dictate how or what data companies can use in their business.<\/p>\n\n\n\n The latter can be enforced e.g. in the case of a data breach, where regulators deem a company negligent. In this case, they may issue an ultimatum for the company to either rectify the breach within 90 days or stop using the data that it has collected.<\/p>\n\n\n\n Special Eurobarometer from the EU Commission available here<\/a>.<\/p>\n\n\n\n If a company relies on data collection as a core business model for profit, this could potentially be a bigger blow than a fine, however large.<\/p>\n\n\n\n So far, there have been only two examples of such<\/a>: <\/p>\n\n\n\n One year into the GDPR, we begin to see another of its impact that hasn\u2019t to do with fines or enforcement, but with legal change \u2013 what LinkedIn\u2019s head of global privacy recently called \u201cthe GDPRization of laws across the world\u201d<\/em><\/a>, meaning that laws all over the globe are beginning to spring up and take shape with inspiration from the GDPRs scope and strength.<\/p>\n\n\n\n Among the nations or states in the world that either have passed or are in the process of passing privacy laws are \u2026<\/p>\n\n\n\n Argentina, Israel, Chile and China are among other nations who are working on privacy laws and regulations.<\/p>\n\n\n\n When it came into effect on May 25, 2018, GDPR was a top Google search keyword<\/a>, outnumbering both Beyonc\u00e9 and the Queen of England. <\/p>\n\n\n\n It doesn\u2019t anymore, but its mainstream reach is still to be felt. The effect of the GDPR has also been to foster a public discussion about privacy<\/strong> that is still raging to this day.<\/p>\n\n\n\n Special Eurobarometer from the EU Commission available here<\/a>.<\/p>\n\n\n\n Its date of effect a year ago more or less coincided with the revelation about the Facebook\/Cambridge Analytica scandal<\/a>, perhaps the biggest, most reported privacy crisis last year, only rivaled by the digital interference by the Russian government in the US presidential election. <\/a><\/p>\n\n\n\n![\"GDPR](\"\/media\/3538\/gdpr-infographic.jpg?width=428&\")
<\/figure>\n\n\n\n\n
GDPR consent management after one year<\/h2>\n\n\n\n
GDPR enforcement overview<\/h2>\n\n\n\n
![\"Infographic](\"\/media\/3539\/gdpr-infographic-cross-border-cases.jpeg?width=437&\")
<\/figure>\n\n\n\nHow can the GDPR be enforced?<\/h3>\n\n\n\n
\n
![\"Infographic](\"\/media\/3540\/gdpr-infographic-complaints.jpeg?width=500&\")
<\/figure>\n\n\n\nGDPR fines in Year One<\/h3>\n\n\n\n
![\"Infographic](\"\/media\/3541\/gdpr_anniversary_infographic_2019.jpg?width=453&\")
<\/figure>\n\n\n\nFrance leads the GDPR enforcement in Year One<\/h3>\n\n\n\n
![\"Infographic](\"\/media\/3542\/gdpr-infographic-fines.jpeg?width=500&\")
<\/figure>\n\n\n\nIRELAND, a challenge and a promise<\/h3>\n\n\n\n
![\"Arial](\"\/media\/3543\/nils-nedel-454383-unsplash.jpg?width=500&\")
Other GDPR enforcement techniques<\/h3>\n\n\n\n
![\"Infographic](\"\/media\/3544\/gdpr-infographic-data-breaches.jpeg?width=500&\")
<\/figure>\n\n\n\n\n
GDPR as ripple initiator \u2013 privacy laws around the globe<\/h2>\n\n\n\n
![\"Row](\"\/media\/3545\/osman-rana-293976-unsplash.jpg?width=375&\")
\n
Public awareness of the ad tech industry and privacy<\/h3>\n\n\n\n
![\"Infographic](\"\/media\/3546\/gdpr-infographic-dpas.jpeg?width=500&\")
<\/figure>\n\n\n\n