2 Years of GDPR: Navigating a data protected world

The General Data privacy regulation (GDPR), passed in May 2018 has been a significant milestone in protecting user rights and ensuring data privacy. After four years of preparation, it was approved by the EU Parliament on April 14, 2016, and went into effect on May 25, 2018. It is the largest legislation of its kind and has had a far-reaching effect, extending beyond the borders of the EU. In this article, we shall discuss how GDPR has affected data collection and legal strategies of companies and how can companies retain customer trust: something that is supremely necessary in a data-intensive business environment.

There are three main goals of the GDPR that can be broken down into:

  1. Protecting the rights of users in regards to their data.
  2. Ensuring that data privacy laws keep up with the ever-changing landscape of technology.
  3. Creating unified and consistent legislation across the EU. All of the regulations laid out as a part of the GDPR apply to any and all businesses that interact or do business with EU citizens. This means the effects of the GDPR’s legislation surpass the EU, affecting US, Chinese and other non-EU companies who do business with EU citizens.

The Effect of GDPR: Across the data ecosystem

Changing the scope and dimension of data protection laws: he GDPR regulation in Europe has forced data regulatory bodies globally to rethink their data protection and user privacy policies. Inspired by GDPR, the California Consumer Prevention Act (CCPA) was put into implementation in late 2018, followed by the Lei Geral de Proteção de Dados (LGPD) in Brazil.

Heavy Reliance on third parties and legal experts: Since GDPR was the first legislation of its kind, businesses were relatively unprepared for the dynamic changes that they had to bring to their data policies. They could also just not change the policies abruptly, without communicating about the change in an effective manner. As a result, a whopping USD $9BN has already been spent on GDPR preparation globally.

Fewer fines have been given than expected: Since the law is still in its infancy when it comes to scope and implementation, hence the regulatory authorities were relatively very lax on fines, although since its implementation $63 million fine has been collected, out of which $57 million has been issued to Google. Although the amount seems to be large, it is nothing as compared to the revenue of $136.2 billion that Google realised in 2018. Although there have been 144,000 complaints that were recorded, and 81,000 data breaches were reported, with 63% of the breach cases resolved and the rest pending. This data clearly indicates that more and more companies are evolving as the law is slowly but steadily becoming a norm.

Mixed Customer Feelings regarding the law: Although the GDPR is aimed at protecting customers and their rights, questions about implementation, enforcement and redressal have put certain doubts in the minds of customers with 45% of EU citizens still concerned about their data privacy.

But how has GDPR individually affected businesses (controllers), customers (users), and enforcers?

Businesses (Controllers)

Businesses are referred to as controllers because, they are responsible for controlling and protecting the data of the customers. Luckily for most businesses, the first year was a year of transition and most of the companies got away scoff free or with a warning. The most impacted were small businesses who did not initially have a data privacy infrastructure at place. Businesses spent $1.3 million on average to meet compliance requirements and are expected to put in an additional $1.8 million according to a survey by IAAP. After all of these investments, fewer than 50% of businesses are compliant, but 4 in 5 are working towards meeting requirements. For the 1 in 5 businesses who choose noncompliance, their options are: incur penalties or cut ties with all EU customers and users. Apart from the businesses that deal directly with consumers, GDPR has brought ripple effects in the Legal and Marketing industries. Initially, businesses found it relatively difficult to navigate somewhat vague wording of the GDPR. Even big companies with large legal teams had to seek external legal counsel since they had never dealt with data privacy before. Legal advice and teams cost UK FTSE 350 companies about 40% of their GDPR budget or $2.4 million. GDPR has also changed the way marketers do their job. Companies and in-house marketing teams have to be careful on how they deal with customer data, and many teams are nervous about the potential fine on their companies or clients in case of any violation.

USERS (Data Subjects)

Since the implementation of the GDPR, the customers and users generally have an upper hand in such digital transactions, given that the companies are GDPR compliant. Customers have reported a positive improvement in User Experience on GDPR compliant websites. Although still in its nascent years, users all across the EU have mixed feeling about this legislation. While some users agree that it was important for such a law to be enforced, some are still not satisfied with the user protection provided under the GDPR.

Data Protection Officers and Auditors (Enforcers)

Since its inception, the GDPR has led to an increasing demand for Data Protection Officers (DPOs) and a dedicated data privacy team. In April 2016, there were only 13 DPO postings per a million job postings, which rose to 103 per a million in 2017, an increase of 692% in 18 months. Currently there are over 500,000 DPOs employed within the workforce, an increase of approximately 6 times the forecast.

It will not be wrong to say that the implementation of the GDPR has drastically disrupted and altered the data collection, synthesis and analysis strategies of companies. Although, there are still many unanswered questions regarding the implementation of the GDPR, but it has already affected many digital businesses and marketplaces. The implementation of the CCPA was a huge legislation trend that was witnessed after the GDPR came into force, and trends suggest that other countries and more US States are considering implementing new privacy regulations inspired by the GDPR. Although still in its native years, GDPR has definitely altered the way companies handle consumer data, and has empowered customers with more rights and protection over their personal data.

Here is a video from the legal experts at Cloudi-Fi, for more information about GDPR compliance.