The 25th of May, 2018, was a day marked out in everybody’s diary. It was the day the General Data Protection Regulation (GDPR) officially became a law. In the week leading up to and the one following it, schedules were cleared, and calendars emptied. So, two years later, how has the world dealt with the privacy apocalypse and what can we expect from the next two?
A fairly accurate description of that fortnight is "somewhat anticlimactic." Now, that’s not to say that its effects haven’t been felt, because they have (I’ll discuss that in more detail shortly) – but there was no overnight revolution as was previously advertised. Instead, it was business as usual for a while. It took five months for that hospital in Portugal to be fined a paltry €400,000 ($489,000) and until January 2019 for the French Data Protection Authority to hand out anything near the penalties threatened in the headlines. The two cases that resonated most with the public were, of course, British Airways (£183M/$227M) and Marriott International (£99M/$123M) as both are household names.
So, what are some of the reasons behind the penalties? Most are related to:
- access control
- consent
- appropriate technical and organisational controls
- the legal basis for marketing activities
Anecdotally speaking, these would seem to correlate with some of the largest areas of spending/investment required to meet the new legislation since this is where the biggest changes are required from legacy systems and approaches.
Over the last three years or so, we’ve seen an explosion in the technology vendor/partner space as companies scramble to upgrade systems, modify platforms and integrate new solutions to tick the boxes. Technological answers can be great if you’re looking to pseudonymise your database or implement Customer Identity and Access Management (CIAM) within your organisation, but it’s only part of the story. Don’t forget, there’s no silver GDPR bullet. Process and policy also play a major role in compliancy with this.
Although the GDPR was billed as evolutionary rather than revolutionary from the Data Protection Act 1998 (the UK’s implementation of the 1995 directive), many companies found themselves forced to get their house in order and since 2018 we’ve seen lots of examples of procedures make their way from people’s heads to paper. Speaking of which, of course GDPR applies to paper-based records as much as it does digital records. Secure destruction no longer means throwing it in the bin and in a time of prevalent recycling, just discarding a document needs a process, triage and decision making.
The public has undoubtedly noticed that you can hardly visit a website these days without being bombarded by a cookie wall/banner. Although the vast majority are unlawful (the cookie law requires you gain consent, but you cannot deny a product or service on the basis of non-consent), it is helping raise awareness of data privacy. The GDPR carried forward, and enhanced, the data subject’s rights from the previous directive but, to this day, I’m not seeing any advertisements or publications of them outside of the data privacy community. One might have expected something in the broadsheets (that’s a newspaper, for those of you reading this outside of the UK) or a billboard in the city, but instead people have to rely on what they read online and, of course, that requires them to first know they have rights on which they can search.
As I said at the start, the effects of GDPR have very much been felt within organisations across the globe. My view is the changes that have happened, are happening – and will happen – in the coming months are good for both the organisation in question and the industry vertical in which they operate. I’ve often said that data protection can, and should be, a differentiator in the marketplace and I have no doubts that over the next two years, we’ll see much more of that come into play. Commercial opportunities will be won or lost based not on price, but on business practices and policies. Certainly, due diligence must come first. Only then can businesses feel a sense of comfort in the longevity and security of their GDPR investments.
