So where are all the GDPR enforcement actions? The General Data Protection Regulation (GDPR) entered into force at the end of May 2018, giving unprecedented powers to regulators. From ongoing regulatory audits to hefty fines and a range of new privacy requirements, the GDPR is the most dramatic change in data protection and governance in the last 20 years. Some firms are still completing their readiness plans, others are just waiting to see what happens next, and many are wondering why regulators have been so quiet over the last three months. Don’t be lulled by the apparent calm. While data protection authorities (DPAs) highlight that investigations of this nature take months to complete, even in cases of clear infringements, there is a lot of activity underway: 

  • Enforcement actions have already begun. The German DPA of the state of Schleswig-Holstein has issued the first enforcement action. In line with GDPR, she banned a company from collecting and processing data acquired by a webcam connected to the internet. The regulator judged the intrusion of individuals’ privacy disproportionate to achieving the legitimate interest of the company operating the webcam. They are now off to investigate organizations that use “Facebook Insights” as part of their websites, such as fan pages. 
  • UK regulators are also using the new GDPR powers. They’ve already reported numerous activities regarding assessments and audits of firms’ data protection practices. 
  • European regulators are collecting a large number of data breach notifications. The Irish regulator alone has received over 1,000 in the first two months of GDPR enforcement. Not all the notifications trigger enforcement actions, but some certainly will. 
  • Consumers have already logged thousands of data protection complaints. And more are expected. The UK regulator has received almost three times as many complaints compared to last year. Consumers’ reports of firms’ poor practices with their personal data is an obvious way to initiate regulatory audits, investigations, and trigger big fines. 

With this kind of activity keeping regulators busy, it’s just a matter of time before we see severe regulatory enforcement actions and fines. Skeptical firms that have done nothing to prepare for GDPR, hoping for lack of enforcement, must act now. Craft a road map to meet the requirements, and start off with data flow mapping. Beyond actual infringements, regulators will also be keen to heavily sanction firms for inaction or ignorance about privacy and security risks. Firms that are completing their GDPR readiness plans must now shift to sustained compliance. GDPR is not a one-off exercise. Instead, it’s an ongoing journey, and as such, it requires continuous data discovery and classification, automated risk assessments (including data protection impact assessments), dynamic due diligence on third parties, etc. Whatever maturity stage you are at, don’t take GDPR purely as a compliance headache, but treat it as a strategic business project.

Your biggest potential loss isn’t a large GDPR fine; it will be the lost opportunity to use it as a powerful lever to raise customer trust and drive growth. Firms that were first to embrace GDPR consistently report improvements in their business outcomes, including their customer experience and data strategies. GDPR is also pushing firms to innovate and prepare to deliver services of the future. For example, the head of digital customer experience of a UK bank has included privacy and GDPR as prominent variables in determining the future evolution of the bank’s services and customer experiences and made it a core element of his human-centered design work. A Spanish insurer is using customer journey analytics to power the privacy experience of its customers, and a US service provider has leveraged GDPR to update its customer contact strategy, inputting new discipline into building customer profiles and preferences, which translates into better customer engagement with more relevant and transparent interactions that promote trust.