GDPR: Second Year Anniversary  

Back to blogs

26 May 2020 | 5-minute read 

25 May 2020 marks the second anniversary since the EU's General Data Protection Regulation (GDPR) came into effect. The introduction of the GDPR was the most important change in data privacy regulation for a decade, designed to restructure the way in which personal data is handled across every sector (public or private) and all industries.

When GDPR took effect in May 2018, it signalled the start of more aggressive privacy oversight and enforcement. The diversity and scope of enforcement actions have posed challenges for both regulators and businesses. In an attempt to provide a uniform approach to GDPR, the LMA led a cross-market working group comprised of representatives of managing agents, brokers, Lloyd’s, LIIBA, and incorporated legal input from a variety of sources.

The group produced market guidance and developed a suite of wordings, endorsements and updated market model agreements. The LMA also worked to assist managing agents with operational issues. The LMA also produced an interactive, easy to-navigate version of the London market Core Uses Information Notice, which was designed to assist policyholders in understanding how their data may be used across the insurance distribution chain. The aim was to provide a consistent approach in providing market level information which assisted policyholders as well as London market brokers and carriers.

Since the GDPR has been in effect, there have been over 160,000 reported data breaches requiring enforcement, and over €126 million in GDPR fines. The diversity of monetary fines and enforcement actions is striking, and clearly demonstrates the GDPR’s broad scope. Thousands of GDPR actions are currently pending, and organisations should expect EU regulators to continue to pursue non-compliance aggressively.

One of the primary benefits of GDPR enforcement has been the overall raising of awareness of data privacy issues and the adoption of ‘privacy by design’ by organisations across Europe. The GDPR has also spurred regulatory momentum in many other regions, including the US. It has had a far-reaching global effect and has influenced data privacy discussions worldwide. Many countries in Europe not subject to EU legislations have adopted compliance regulations almost identical to the GPDR, including Norway, Switzerland, Iceland and Liechtenstein.

Likewise, some countries in Asia and Africa with close relationships to Europe have redesigned their data privacy regulations, including South Korea and India. Other privacy legislations appear to be heavily influenced from GDPR, in giving rights of data subjects, data breach detection/prevention and accountability, like the California Consumer Privacy Act (CCPA) and most recently, the General Law of Data Protection in Brazil.

As well as being the two-year Anniversary of the GDPR, 25 May 2020 will also mark the European Commission's review and evaluation of the regulation.

The GDPR remains a ground-breaking piece of legislation and it will continue to evolve through 2020 and beyond as Data Protection Regulators continue to show their teeth with their wide-ranging fining powers.