The Impact Of GDPR
The General Data Protection Regulations (GDPR) is in full swing. Since it's implementation in May 2018, the EU's landmark legislation has brought sweeping change to data privacy rights, particularly who "owns" data, who controls it and who gets the final say in its uses and transactions in today's digital-first world.
How are companies worldwide fairing amidst this new GDPR reality? Have its rules, benchmarks and penalties translated into greater security and transparency for the people and organizations most shaped by its reforms, or have we seen compliance efforts already tumble into the tumultuous?
GDPR Recap: Definitions And Timeline
Regulation surrounding the collection and usage of personal information online is nothing new.
The European Union was already addressing such digital activities as far back as the early 1980s. That momentum continued through the following decade, most notably with the Data Protection Directive 95/46/EC of 1995, one of the first major international regulations to outline that the right to privacy extends to an individual's online information or "digital" self.
Yet as technologies evolved and everyday access to and use of the Internet burgeoned, these old regulations lost their teeth. While the principles behind an individual's right to privacy and agency remain at the core, it became clear that contemporary legislation needed to be updated to address some of today's most pressing cybersecurity concerns — concerns that didn't exist in the '80s and '90s, such as cloud data storage, mobile computing, artificial intelligence, increased third-party data sharing and much more.
From January 2012 through to January 2016, several EU bodies came together to create the implemented GDPR tenets in-place today. That four-year process included work from the European Commission, European Parliament, the Council of the European Union and the Organization for Economic Cooperation and Development (OECD), resulting in the finalized document published in May 2016. This was followed by a two-year grace period allowing organizations to refine and update their data operations to comply with the new standards, with full regulator effects installed by May 2018.
1. Review Of GDPR
There are three outlined and overarching goals behind GDPR. These three goals encompass the spirit of GDPR's legislative updates, designed to provide the following:
- Harmonized data usage and privacy laws between all European Union members
- Prioritize any EU citizens' agency and control over their own personal data
- Reshape the way organizations handling or interacting with EU citizens' data manage and approach all data-related activities
GDPR's updates are broken down into 99 legislative and directive changes laid out in categories known as articles. Of these, there are many key GDPR articles for organizations to bear in mind:
- Processing: Individual data must now be processed explicitly and transparently. Personal data must also be collected on a case-by-case and situationally relevant basis, not in broad transactions. Consumers must be informed specifically on how and why their data is being processed, as well as their rights to "opt-out" of such processing.
- Consent: Language surrounding data collection must be clear and unambiguous. An individual must provide their informed consent to have their data collected and used for specific purposes. Those purposes must also be outlined in an active, timely and "affirmative" manner, meaning checked boxes or separate terms and conditions pages filled out once with incomprehensible legal jargon will no longer be acceptable under the eyes of GDPR's updates.
- Compliance: Companies face heavier punishments if found incompliant. Accountability falls on both organizations storing consumer data and organizations using consumer data for a number of commercial or operational activities. Compliance measures behind the record-keeping and security of all private data have also been tightened.
2. Important GDPR Terminology
To understand GDPR's full range of updates and worldwide regulatory impact, you must first understand its key terms and definitions:
- Personal data/data subject: Personal data is categorized as any information that can be used to trace back to a single individual — the data subject.
- Data controller: The body or organization determining what data is being collected, where and for what purposes.
- Data processor: The body or organization performing the actual data collection, and in some cases, storage.
- Data subject rights: The list of tenets protecting the individual at the heart of GDPR. Data subject's rights include clear and unambiguous data-processing information, the right to opt out of having their data processed, the right to have their personal data removed from an organizations' databases, the right to receive and view what data an organization has on them and much, much more.
GDPR Today: Updates And Impact Globally
There's no way around it — GDPR's impact worldwide is here to stay. The consumer controls and privacy rights it stands for are likely to be adopted in additional countries as consumers grow more aware of the scope and scale of their personal data being used — and stories of corporations abusing that data trust become more mainstream.
What's more, GDPR doesn't only affect those within the EU. Any company, organization or institution that comes into contact with an EU citizens' personal data — even as a third-party processor — must prove compliance.
This is a significant update to GDPR and one of its most essential features. One doesn't have to be within EU borders to legally adhere to its regulations or be penalized if they don't.
Now that the dust has settled around GDPR's implementation, what's happened worldwide since going live?
1. In The EU
- Opt-in fatigue: Starting in May, EU citizens — and more around the world — were inundated with emails asking them to re-consent to both company communications, cookie policies and data usage. These mandatory opt-ins had unintended consequences though, as bombarded consumers admitted to skimming many of these new messaging at best — messages meant to protect them.
- Social media usage: Facebook has reported a drop in both daily and monthly active users throughout the EU since the May 2018 GDPR initiation, as well as a dip in advertising revenue. They cite GDPR legislation alongside EU consumers' heightened data sensitivity for these drops.
- Small and mid-size business hit the most: In its first-quarter reports, EU companies on average have reported a 25 to 40 percent decrease in their "addressable markets," meaning individuals have chosen to opt-out of primarily direct marketing-related messages. While this is easier for larger companies to balance, small and mid-sized operations have seen the most substantial pinch, losing access to key prospective customers.
2. In Asia
- Regional, not international, precedent: Asian markets have traditionally allowed for regional and situational data-privacy measures to be the operating standards rather than objective, national or international ones such as GDPR. As such, many Asian corporations are playing compliance catch-up from farther behind compared to international counterparts.
- Report breach and time zones: Many Asian corporations have cited concern over GDPR's 72-hour breach notification due to fundamentally incongruous differences in EU and Asian time zones. This notification mandate, though, is a non-negotiable article and states controllers and processors must report a data breach within 72 hours, or an "undue delay period," to affected individuals.
3. In North America
- Consent caution: Research from Forrester has found that in the wake of GDPR's first quarter, nearly one in three Americans refused an online transaction. This new trend has been chalked up to increased awareness and sensitivity toward data profiling and their own desire for greater online privacy.
- Impending regulations: From California to Brazil, legislation inspired by GDPR has found footing amongst government bodies, especially those interested in regulating how citizens' data can or cannot be monetized without consent.
- U.S. websites opting out: To further soften the transition — or to buy even more time past May's deadline — many U.S. companies and their websites are simply no longer available to EU searchers. For example, the popular publications The Los Angeles Times and The Chicago Tribune have become inaccessible to EU readers while their parent companies navigate appropriate international data-privacy updates.
Have There Been Any GDPR Fines So Far?
The short answer to this popular question? No — not technically.
However, the long answer is far more nuanced. A handful of organizations and institutions have already come under fire for data privacy breaches, misuse or monetizing data without clear consumer consent — all problems GDPR aims to remedy. Actual GDPR fines or monetary penalties for these misappropriations, however, remain in limbo.
Any organization deemed to be incompliant with GDPR will face fines up to four percent of annual global revenue or €20 million — whichever falls higher. This is a serious increase from past data-privacy penalties and a sign of GDPR's impact and gravity.
So much so, in fact, many are monitoring the actuality of such fines, from their rates to the context surrounding their administration. GDPR fines and penalties speculation today center on the following cases:
- Dixons Carphone: The international electronics and telecommunications retailer announced early in the summer of 2018 it had suffered a significant data breach, one compromising the personal information of nearly 10 million customers. Dixons Carphone represents the first major institution to see potential GDPR fines impacting its nearly £10.58 billion global revenue.
- Information Commissioners' Office of the United Kingdom (ICO UK): Reporting they receive nearly 500 calls a week to their GDPR report hotline, the ICO UK is actively monitoring complaints and breach notifications in these crucial early months. However, the ICO UK also notes it will take between eight to nine months to conduct full investigations into filed reports, a timeline directly influencing the lack of formal fines so far.
How Has GDPR Impacted Businesses Worldwide?
Simply put, GDPR affects any organization that uses online EU consumer data for some aspect of operations.
This is a near-universal and functional reality for most industries in today's world. Yet some rely on consumer data far more than others, either directly — such as for marketing campaigns delivered via email — or indirectly — such as part of a third-party data processing contract.
Across the globe, the following industries stand to see the most changes due to GDPR and their direct and indirect data management practices.
- Hospitality: Search engines use location features to show relevant nearby dining and entertainment. Transportation, tourism and lodging operations have used data profiling to generate listed prices and packages for EU travelers, such as airline ticket prices depending on past search history and geographic profile markers.
- E-Commerce and retail: Online retail thrives on its ability to record and track consumer purchases, then make recommendations or funnel products and services accordingly. In the past, it was legal for most retail operations to do so without explicit user consent. Online retailers must now explicitly illustrate their processes of tracking users' preferences and ask for permission to make product recommendations.
- Software services: Like the industries above, software providers around the world operate as both data controllers and processors. Their products and services cybersecurity operations and data storage must be as airtight as ever.
- Healthcare: Those in the healthcare industries store and handle some of the most significant and most sensitive swaths of EU citizens' personal data. GDPR no longer allows for indefinite data storage plus severely tightens the data security and protective measures the industry must adhere to.
- Banking and insurance: Worldwide, many banks and financial institutions lack the systems to follow through on an EU citizen's request to have their data personally audited, edited or permanently deleted. In fact, doing so might even render their services null and void. What's more, the industry often has data sources and partners flowing from multiple streams, further complicating complete compliance across parties and contracts.
It's also important to note a second way businesses worldwide are impacted by GDPR — through localized websites. Any company that engages with localized web content targeting EU locations will have to comply with all GDPR articles, as these geographically optimized sites are intentionally targeting and soliciting EU citizen information.
Are Any Companies Struggling With GDPR?
GDPR's impact remains in its infancy. Similar to GDPR fines so far, its worldwide ripple effects are still very much swirling. It'll be some time before companies can conduct thorough internal or even external assessments on how they've weathered these early days and shored up operations for proven accountability and compliance.
However, there are a handful of companies that have already ridden some rough waves, for reasons that span from privacy discrepancies to past breach mismanagement to consent strong-arming.
Already, two separate organizations have lodged formal GDPR complaints against Google and by proxy its parent company, Alphabet, Inc.
These GDPR complaints come on the heels of the EU Competition Commission's recent ruling against Google regarding what it deems, "a breach of competition rules," a landmark decision that discovered Google was providing financial incentives for pre-installment of their search browser and other apps on Androids and mobile devices sold in Europe. As a result, the company has 90 days to prove an end to this policy and pay a €4.34 billion penalty fine.
This comes after broader scrutiny behind Google's search-engine and app data collection tendencies, as well as the close-to-monopolistic hold they have on their market — all of which may not bode well for future GDPR negotiations.
The social media giant already landed in hot water due to 2016's Cambridge Analytical scandal, where ICO fined Facebook over €565,000 for its involvement in harvesting and selling user data to the political firm. That fine is minimal, however, compared to what would have occurred had the scandal broke after GDPR's May implementation deadline.
Like Google, complaints have already been filed against Facebook for its poor data privacy and shady third-party operations.
GDPR's impact presents both a challenge and an opportunity for businesses around the globe.
On the one hand, organizations that embrace its tenets embrace greater transparency, authenticity and — ultimately — consumer trust. As they shore up data security and maintain more explicit channels of communication with their constituents, they live out the values GDPR represents — the same values more and more consumers say they wish to see from companies.
On the other hand, the size and scale of GDPR's updates make its impact seem monstrous, not manageable. For small and medium-sized businesses in particular, managing all the details to maintain compliance is understandably daunting.
For those concerned about GDPR next steps, there are more than a few considerations:
- Appoint a data processing officer: This individual spearheads holistic GDPR compliance activities, ensuring an organization is properly documenting GDPR-mandated procedures, administering customer consent messaging, safety storing data and otherwise doing as much as possible to bolster a compliant reputation.
- Adopt a data-breach plan: From actively monitoring network vulnerabilities to a set contingency notification plan in the event of compromisation, your organization must outline these emergency data procedures as soon as possible.
- Bolster your certifications: Information security, infrastructure and data-management certifications will likely complement GDPR preparations and further boost compliance efforts.
Think NQA When You Think Registration And Accreditation
The impact of GDPR is a global game changer.
As an accredited, international certification agency, NQA knows GDPR's importance and monitors its influence. We have a global reach but employ local expertise, helping our clients around the world through distinct auditing services to boost operations and stay in compliance with GDPR's updates.