It’s been a year since the European Commission (EC) made its hotly anticipated General Data Protection Regulation (GDPR) enforceable on 25 May 2018.
Danny Allan, vice-president: product strategy at Veeam
There has been a tremendous amount of fear, uncertainty and doubt surrounding GDPR since its introduction. But it is time for the conversation to evolve beyond the noise and into the next level of discussion.
Over the course of the past twelve months, the regulation, which replaced its predecessor the Data Protection Directive from 1995, has displayed two key characteristics: it’s both specific and has teeth.
The impact of these characteristics is that data privacy is now recognised globally, similar to the way basic human rights are considered. Not only should any business that processes data want to respect GDPR, but they are now required by the EU to do so. This can be viewed as forward momentum, and a success for the technology industry. Technology is unable to reach its full potential until consumers have the trust required in the security and privacy associated with their data.
Data privacy gets specific
One of GDPR’s most virtuous traits is that it is specific. It’s clear about who it serves, who it applies to, what it enforces and what the penalties for failure to do so are. As a result of this, people are increasingly viewing data privacy as a basic human right, akin to freedom of speech.
The reason for this step-change is that GDPR has given us both individual and organisational awareness. The same as the tragic events of 9/11 gave us locked cockpit doors, GDPR has led to specific, fundamental changes in the way data privacy is managed, regulated and reported.
According to official EC figures, there have been over 95 000 GDPR complaints made by citizens, which demonstrates that individuals now have higher awareness levels of whether their data rights are being disrespected. An additional figure reveals a heightened sense of understanding from businesses, with 41 000 self-reported breach notifications.
Other tangible impacts that can be traced back to GDPR are a decline in the use of third-party website tracking cookies, and an increasing mistrust within the marketing supply chain. The Reuters Institute for the Study of Journalism reported a 22% drop in the use of cookies three months after the introduction of GDPR, while publishers, ad-tech firms and agencies are rewriting contracts to avoid being implicated by data breaches.
So, just like locked cockpit doors increase the safety of air travel without negatively affecting the overall experience of flying, the impacts of GDPR have been invisible, but significant. Cisco research has found that 75% of customers are realising broader benefits from their privacy investments, citing better agility and innovation resulting from better data management.
GDPR bares its teeth
One of the most notable reasons that GDPR caused the stir that it did outside of the data privacy and corporate legal fields, is the hefty penalty for failure to comply. The EC has the authority to fine organisations €20 million, or 4% of their global revenue — whichever is higher — if they are proven to have breached a single line of the regulation.
What’s more, data privacy regulators have enforced these measures with EC figures accounting for 91 reported fines within eight months of GDPR being enforced.
The most infamous of these financial penalties was issued by the French National Data Protection Commission, fining Google a massive €50-million in January 2019. German authorities have also handed out over 40 smaller fines for GDPR violations.
As well as financial sanctions, which can be crippling for smaller organisations with shallower pockets than the world’s largest data processors, there is a subtler deterrent at work: reputational damage. As data privacy becomes increasingly seen as a basic civil liberty, organisations of all sizes really cannot afford the stigma associated with abusing that right.
What’s next for GDPR?
There won’t be a radical shift from a regulatory perspective in the next year. Simply put, GDPR is working. The result is that we can expect more of the same from data privacy regulators: more fines, harsher penalties and further efforts to expose incompliance.
One interesting area to watch is whether the types of conversations GDPR is forcing CIOs to have will lead to repercussions at a global level; particularly when it comes to data privacy practices in countries such as China and the USA.
We will continue to see the EC flex its data privacy muscles, but we’ll also see a shift in the way organisations use personal data. Data is the lifeblood of businesses in the digital era, despite examples of some firms taking a radical stance on GDPR and deleting entire user databases.
Data collected today can be mined for insight tomorrow, and used to create better user experiences, develop products which address genuine market needs and reward customers for loyalty. As user awareness increases, tolerance towards organisations who are seen to be collecting, but not respecting data, will get lower.
Therefore, organisations that fail to get to grips with data privacy, making privacy part of its corporate culture, will face a backlash from customers, as well as draconian punishments from regulators. At Veeam, we believe that data privacy and protection should not be viewed as a box-ticking exercise, or something you just do because you must.
Becoming GDPR-compliant is an ongoing journey, and success should not be viewed as not being fined, or worse yet, getting away with something. Organisations must take pride in understanding, managing and protecting their data. Compliance is just one step on the way to becoming a data-driven business, which is constantly looking for new ways to leverage information to create better products, services and experiences for customers.