Two Months Later: Living in a Post-GDPR World
It’s been over two months since the EU’s General Data Protection Regulation (GDPR) has come into force on May 25th and, after a feverish rush for compliance overtook all businesses, a period of relative calm followed in the wake of its implementation. Whether this was because both organizations and users suffered from an oversaturation of GDPR-related content, updated privacy policies and consent requests or the new regulation has yet to shed its training wheels, the GDPR has effectively left the limelight.
That being said, if it’s not making headlines as it did a year ago, the GDPR is leaving its mark on the data protection field by being the first legislation of its kind to tackle present-day dangers to data security and companies’ accountability to their customers and the law in the face of these threats.
The post-GDPR world is one full of anxiety and opportunity. Many companies are struggling to put in place the infrastructure needed to respond to incidents and data requests as laid out in the GDPR, while entrepreneurs are profiting by building tools that enable companies to more easily manage visitor and customer consent.
Noncompliant companies may hope to never incur the wrath of customers and data protection agencies, but with data breaches continuing unperturbed through the ingenuity of perpetrators or the neglect of employees and customers having the right to request their data at any time, it won’t be long before they will find themselves on the wrong side of the GDPR.
GDPR Compliance Rising
US-based security company TrustArc surveyed 600 companies across the EU, UK and the US about their GDPR compliance and found that, while only 20% of the companies surveyed believed themselves to be GDPR compliant, 53% are now in the implementation phase and 27% have not yet started. This is a significant boost from their results in a similar survey conducted in August 2017: the number of companies whose GDPR implementation is under way or completed increased from 38% to 66% in the US and from 37% to 73% in the UK. While there is still significant progress to be made, 74% of respondents expect to be compliant by the end of 2018 and 93% by the end of 2019.
Another interesting finding of the report was that, when asked about their reasons for seeking GDPR compliance, most companies did not cite the GDPR’s much talked of fines, but first and foremost mentioned customer expectations followed by company values and partner expectations. The GDPR’s fines and potential law suits ranked only 4th on their list of reasons.
The GDPR has had a few surprising effects: in the UK for example, the Royal Mail saw its revenues from addressed letters drop 7% as companies reduced unsolicited junk mail to meet GDPR requirements. With website visitors now able to opt out of third party elements such as ad servers, Google Analytics and plugins, reduced loading times and a better user experience have been registered on sites running in the EU.
A consequence everyone expected on the other hand has also become a reality: the GDPR has inspired legislators around the world to push their own data protection regulations towards adoption. From China’s Internet Security Law to the California Consumer Privacy Act of 2018 (CCPA) and Brazil’s Data Protection Bill of Law, data protection is becoming increasingly legislated across the world and the GDPR, with its ground-breaking policies, its pro-user approach and harsh penalties, has set the tone.
A Waiting Game
The GDPR’s most dreaded promise, the fines for violating its core principles which can go up to €20 million or 4% of a company’s global annual turnover for the preceding financial year, whichever is greater, has yet to claim any victims. Many national protection authorities have advocated for a period of lenient enforcement that would allow companies to finalize their GDPR compliance without risking fines.
However, with some companies outright ignoring the risks of non-compliance and others failing to respond to data requests within one month, momentum is building towards full blown litigation cases and the first fines under the GDPR.
Ticketmaster, the giant ticket selling company that suffered a breach that affected 40,000 British and international customers between September 2017 and 23 June 2018, may the first to wind up on the GDPR’s chopping block for both its failure to disclose the breach to the UK’s Information Commissioner’s Office (ICO) within 72 hours of learning of its existence and its failure to adequately protect its customers’ data. Both the business and legal worlds are holding their breath in anticipation, as this case may set the standard for GDPR implementation across Europe.
These first few cases, whether they address the consequences for data breaches that big companies like Ticketmaster will face in the age of GDPR compliance or the fines companies will be expected to pay for failing to reply to data requests or disclose breaches in a timely fashion, are likely to set the standard for all future applications of the new regulation.