GDPR: Blowing out the first candle

Europe demonstrated to be the most active of the continents when it comes to data privacy. The peak of EU’s activity in this space happened with the creation of the General Data Protection Regulation — commonly known as GDPR.

Enforced exactly a year ago — on the 25th of May 2018 — GDPR is designed to ensure that organisations handling private data of users within the EU take measures to protect that data against misuse. However, it does not only aim to safeguard the data of individuals in Europe, but it also protects the export of that data outside the European Economic Area, where data legislations are still very much absent. Finally, one of the primary goals of GDPR is to rebalance the corporations’ power over the consumers and give back control of individual data to the users.

After a full year of GDPR enforcement, it is time to appreciate its overall impact on businesses and users:

· During the month of the release, the term “GDPR” was trending higher in Google Search volume than Beyoncé and Kim Kardashian. With 300,000 mentions in the media worldwide, it managed to over-shadow even Mark Zuckerberg.

· 67% of Europeans are aware of what GDPR represents and 57% of people know there is an entity in their country that protects their personal data — a 20% increase since 2015.

· The number of breaches went down from 43% to 32%, according to the 2019 Cyber Security Breaches Survey

· The same source states that 30% of businesses and 36% of charities have made changes to their cyber security policies and processes as a result of GDPR coming into force.

· In 2018, consumers believe they received less email than ever before, estimating this at around 57 per week to their personal inboxes — down from 73 in 2017 — and less than half of these (44%) were actually from brands.

· Most marketers (56%) feel positive about the impact the new laws have had on their email campaigns — just a fifth feeling the contrary (20%) — resulting in a marked increase in the returns from email and other key measurement metrics for the channel.

Everything that shines is not always gold

One of the pitfalls that might be holding back some additional benefits of the GDPR is the fact that the EU has been noticeably lenient with compliance and the issuing of penalties.

As per the regulation, authorities should issue penalties of up to 4% of an organization’s annual revenue or up to 20 million euros for the infringement of the GDPR.

However, according to the European Commission report a few months ago, there have been 60,000 reported breaches since GDPR came into effect and only 91 fines were issued across all member countries.

Of these, only one was exemplary. In January, the French government imposed a €50 million fine for improper processing of personal data for advertising purposes without authorization. The remaining penalties averaged between 5,000 and 20,000 euros.

This leniency can encourage companies to wait before investing in full GDPR compliance. Many organizations have set up or refreshed their legal framework for data privacy, improved defences against data breaches, and begun managing user consent more rigorously. However, other companies are not willing to deal with the cost of new technologies, consulting services and manpower necessary to be rigorously aligned with the regulation.

Another weak point of GDPR is consent.

The law requires organisations to minimize data collection, get explicit permission for collecting data, and explain to consumers in unambiguous language why they are collecting the data, how they will use it, and with whom they might share it. Organizations have up to 72 hours, in most cases, to report a data breach affecting consumer data to the appropriate data authority in their country.

However, ticking a box does not necessarily mean consent is freely given. Very often a consumer has no choice but to accept the conditions imposed by the website, in order to use the service — most of the time without realising what they are agreeing to.

To conclude

although GDPR represents the first real step towards data privacy and ownership, it is clear that there is still room for significant improvement in some aspects.

Not every company, for a reason or another, felt the need to invest in compliance and genuinely focus on users’ data privacy. As a result, many are the users who simply accept all the new conditions just to access the wanted services— without really reading or understanding what giving consent really means.

However, in only a year GDPR showed great impact not only within the EU, but all across the globe. California is now looking forward to enforcing a similar regulation, with New Zealand, Brazil and other countries following. Despite the need for some slight changes in the regulation and more strict enforcement, GDPR has set a new benchmark in the data privacy space and has impacted both organisations and users around the world.