It was meant to rebalance the power between us – the people and the Big Tech. This time one year ago, EU dropped the General Data Protection Regulation (GDPR) bomb on us, which was meant to change the language of data privacy in business.
Businesses which are working in and with companies in the EU region were put under the microscope and if found guilty, on the other end of it lay a whole bunch of fines and penalties for them. A staggeringly high count of 59,000 data breach reports show that GDPR is sweeping the rug under the businesses that weren’t ready. Amongst the chaos, came many predictions on how GDPR will revolutionise the data privacy and will entirely wipe out the loopholes in data processing and behavioural marketing.
A year later, on GDPR’s first anniversary, we can’t help but wonder – how is GDPR doing?
2018 could’ve easily been the year of data breach scandals. Like a reverse Midas Touch, GDPR exposed the loopholes in every industry it dealt with. Forget the Silicon Valley big guns like Facebook or Google, even mysterious data brokers got slapped by a bunch of GDPR fines, making a strong statement about its powerful reach. Regardless of the geographical location or the size of one’s business, as long as a business processes or controls data of an EU-citizen, it’s liable to comply to GDPR.
Research showed that multinational accounting firms were the one of the worst to get affected by legislation yet they were the best to cope with it as well.
“Since May, 70% of organisations surveyed have seen an increase in staff who are either partly or fully focused on GDPR compliance. For many, this included the recruitment of a dedicated Data Protection Officer (DPO). Of the countries surveyed, the UK leads in this respect, with 92% of respondents assigning a DPO,” Peter Gooch, cyber risk partner at Deloitte, who conducted a worldwide survey on GDPR-readiness of accounting firms.
The fear factor aside, the widespread awareness for safeguarding data combined with the doom mongering about the upcoming avalanche of fines for data breaches have actually worked well in cleaning the flow of data.
Data exchange has become easier and better monitored since most companies have tightened the rope around their controls framework. Most companies operating under these new regulations are more accountable for how their client’s data is being used and when a breach occurs.
Especially in industries like outsourcing, both the data controllers and processors have broken up from their old habits of blaming one another and have taken more interest in the risks that come with partnering with a non-compliant service provider.
If reaching out was GDPR’S first year agenda, they can now check that off.
A lot of businesses were under the impression that GPDR’s jurisdiction was limited to the EU. GDPR soon after coming into effect showed that distance is not an excuse to get away with data breaches.
While Silicon Valley was under investigation for fines; a series of penalties were imposed on companies of all sizes in the UK – From the British Airways to pregnancy club, Bounty UK. In fact, according to a DLAPiper research Netherlands, Germany and the UK topped the list of countries with most reported breaches (15,400, 12,600, and 10,600 respectively). Clearly, Brexit wasn’t enough to get the UK out of GDPR’s radar.
At a panel discussion on GDPR, Stephen Eckersley, the head of enforcement at the U.K. Information Commissioner’s Office, said the U.K. had seen a “massive increase” in reports of data breaches since the GDPR’s implementation.
Moreover, the law extends not just across borders but for data breaches that have occurred in the past as well. For example, Uber even though headquartered in the US, was fined for £385,000 for losing customer data of UK citizens, in regards to a breach that occurred when UK was still a part of the EU.
Clearly, the law isn’t just limited to EU; it was never meant to be. GDPR’S radar is spreading like wildfire. The location of one’s headquarter doesn’t matter anymore – it’s where the decisions concerning data processing are taken is what’s accountable to GDPR.
If there was a major target for EU’s GDPR – it would be marketers. Since the whole argument around the unethical use of consumer’s data revolves around collecting data followed by systematically manipulating consumers to give into similar purchases again – GDPR requires marketers to secure explicit permission for data-use activities.
The law is forcing marketers to relinquish much of their dependence on behavioural data collection. It has made the process more taxing, or rather frustrating for marketers to wait to collect an individual’s consent on to data gathering and processing and then formulating results based on that. In short, the result is coming out to a formation of a more equitable digital advertising space for all players – including, end customers.
GDPR was hyped up to come in with a roar. But it spent much of the last year in a whisper. The conversation, however, is shaking the solid grounds of data processing, that we stand on, and giving us more transparency into what’s underneath.
It’s slow but effective or as Omer Tene, Vice President at the International Association of Privacy Professionals, said on Silicon Valley’s data scandals, “the slowness is the nature of the beast. The wheels of justice grind slowly.”
We live in world that’s increasingly defined by technological asymmetries – a schism between big corporations and powerful governments on one side and ordinary individuals on the other. Laws like these are made to sustain the fundamental values of equality and freedom on which democratic societies stand. In fact, as a direct result of GDPR, countries including Japan, Brazil, and the US state of California have passed their own privacy laws.
So get out your streamers and balloons: in the large scheme of things, GDPR might seem small now but it has achieved quite a ground-breaking feat to restore equality and safety in our lives without trading off our freedom.
Originally published Jun 14, 2019 12:06:50, updated Dec 21 2022
Topics: