Sunday marked six months since Europe’s General Data Protection Regulation came into force. Since the 25 May, there have been a number of high-profile data breaches that have reinforced the importance of data protection, for consumer and boardroom alike. Looking back at GDPR six months on, is it having the impact that regulators intended?
First, we must look at why European regulators created the GDPR in the first place: to give control of personal data back to the individual.
Beforehand, many companies had been taking advantage of lax legislation and toothless fines, creating an environment in which personal data has been exploited.
The GDPR forced businesses to change their data practices to meet a range of compliance tests. Failing to do so risks maximum penalties of 4% of global turnover or €20m.
But after six months of GDPR, there is still confusion among some organisations. Verdict spoke with C-level execs, legal experts, marketers and data protection officers to find out what’s working, what isn’t and if GDPR is working as regulators intended.
ICO yet to show its teeth
“On the face of it, it’s very hard to tell. Six months in and there are still stories of data breaches on an almost daily basis and we have yet to see any of the mammoth fines which can now be handed out.
“GDPR was not designed as a mechanism to make money, but rather as one to keep personal information safe. It is a topic of conversation at the boardroom level, and organisations are slowing putting processes (and technology) in place to comply with it.
“However, until the ICO shows its teeth it is difficult to say whether personal information is any safer today than it was 6 months ago.”
- Dr Guy Bunker, SVP of products, ClearSwift
GDPR could be one of “Europe’s biggest exports”
“Regulators can be pleased with the magnitude of engagement with GDPR, and the fact it has helped to tip the dialogue in favour of privacy having a fundamental role in society.
“The GDPR may also turn out to be one of Europe’s biggest exports: it is now inspiring (or at least informing) similar laws around the world, from India to China, from California to Brazil.
“The EU regulators have introduced a pioneering piece of legislation that looks likely to set the bar for data privacy standards around the world, and offers opportunities for closer working practices among international privacy professionals in business and the regulators they engage with.”
- Giles Pratt, IP and technology partner, Freshfields
“To answer whether GDPR is working or not, you need to look at why it was brought in in the first place. The main aim was to make it easier for EU citizens to understand how their data is being used.
“I would argue that the multiplicity of ways it has been implemented across websites makes it hard for users to understand what they are confirming or consenting to for their data usage.
“As GDPR wants specific consent for specific purposes, I would question whether a user of a website, for example, would understand the difference between functional cookies versus strictly necessary cookies.”
- Gary Neal, COO, Smartology
Teething issues yet to be resolved
“Firms are still too reliant on in-house systems where data protection does not form part of the fabric of the technical architecture. And worse, many still use spreadsheets and email as methods of storing and distributing sensitive data.
“Until these issues are addressed, firms are continuing to leave themselves exposed to a breach of terms and potentially damaging fines.”
- Andrew Watson, head of regulatory change, JHC
“Questionable” impact on Google and Facebook
“Mostly yes, because regulators have largely succeeded in achieving their aims of reasserting the individual’s right to privacy, and in harmonising regulations across Europe. Companies that had grown complacent about the way they collected and used personal data are now much more mindful about capturing consent and treating customers accordingly.
“Where the success of GDPR is questionable is regarding data giants such as Google and Facebook. When people click ‘agree’ to terms and conditions do they fully understand how much data is being captured by these behemoths and how it is being used?
“Closer regulation and greater transparency may be required to restore public trust.”
- Ol Janus, group head of data, Havas helia
“GDPR was never meant to bayonet the wounded”
“The temptation is to look for judicial victims and transgressors to see if GDPR is a success or not, but this is a mistake. GDPR was never meant to bayonet the wounded and to slap 4% of turnover fines on everyone in sight.
“This is not an attempt to pay for the policeman’s ball with speeding tickets on the 30th of the month. Instead, GDPR is about the rights of citizens and the need for customers to treat privacy and security correctly and customer data as a privilege and not a right.
“From that regard, GDPR is a success: companies internationally have revamped security programs, re-worked missions, emphasised privacy for real as a priority and have renewed dialogues between CPOs, CSOs and CIOs with the business at large.
“Long term, GDPR has a long way to go, filled with whistleblowing, fines, politics, diplomacy and more; but 6 months in it looks to be a success for citizens, for privacy and for security despite the pain, the hype and the consultants who have billed millions of hours in the interim.”
- Sam Curry, chief security officer, Cybereason
GDPR: “A strong opportunity”
“While many across the EU have endured an influx of emails, there’s a strong opportunity presented here by regulators. We’re not only seeing a shift in power in favour of the consumer, but also the ability for companies to highly target those consumers interested in their products and services.
“By engaging with more relevant audiences, brands in all sectors are in a better position to reach their end users and improve their bottom lines.”
“Regulators may continue to struggle with the nitty-gritty details of GDPR’s implementation, but I think its original intended outcome has been quite successful to date, and will see increasing success as companies globally adopt the regulations.”
- Nadia Benaissa, chief marketing officer, Fidor Solutions
Encrypted data muddying the water
“Six months on, there are clear signs that businesses are searching for ways around GDPR as their business model relies on the selling and operating of customer data.
“Much to the dismay of the regulators, businesses are sending out more encrypted data back to browsers and claiming legitimate consent through the acceptance of “cookies” – a step back from the intended, clear opt-in businesses have been asked to gain and provide proof of.
“GDPR has certainly been a step in the right direction, but there’s still some creases to be ironed out to ensure a smooth, GDPR-complaint business world.”
- Paul Tarantino, CEO, ConsentEye
“Data protection is gaining more attention globally”
“Ultimately, the purpose of the regulation is to change the mindsets of major businesses from one of ticking compliancy boxes to one of actively trying to be more responsible and transparent with data.
“What will give regulators heart so far is most likely the impact the GDPR has had outside the EU, for example in America with legislation such as California’s Consumer Privacy Act following the example the GDPR has set.
“This shows that data protection is gaining more attention globally.”
- Jack Carvel, general counsel, Qubit
Big fines to come in 2019
“There’s a feeling that so far the ICO has approached GDPR using the carrot instead of the stick – helping businesses become compliant instead of punishing those who aren’t. We haven’t seen the huge fines that might have been expected but this will likely change as we move into 2019 and the ICO becomes less sympathetic.
“I believe where we’ll see the biggest shift is in the penalising of internal breaches within companies where businesses are focused on customer data compliance without considering their own internal processes.”
- Benjamin Ellis, head of go-to-market strategy, Trunomi
GDPR has improved cybersecurity
“From a cybersecurity perspective, contrary to what headlines may suggest, my experience has been that many organisations have noticeably improved their security posture or, at the very least, are paying closer attention to how they store, transmit, and process personally identifiable information.
“While GDPR didn’t prescribe what good looks like or even what bad looks like, it does appear that its overarching mandate, in combination with its clarity of potential ramification has been the right recipe to wake many businesses from their cyber security slumber.”
- Steve Giguere, global solution architect, Synopsys
An improving data landscape
“The data explosion over the last decade has driven some elements of personal data to become commoditised and disrespected. Data trails should be treated like transactions on a current account — they are personal and portray valuable behaviour in much the same way.
“GDPR has caused companies to become more responsible. They have had to ask themselves why they are storing and using data. They must be more transparent and able to justify what they are doing. Importantly, consumers are more aware of how their data is used and will ask questions if they feel it is being misused.
“As GDPR best practice starts to become clear, emerging from the varying guidance and advice that has so-far been in the market, the landscape will continue to improve.”
- Jon Cano-Lopez, CEO, REaD Group
GDPR six months on and beyond
The responses from industry experts show a mixed view towards the success of GDPR and that it is perhaps too early to get a true sense of its effectiveness.
This will no doubt change once we know the outcome of some large cases that are in the pipeline, which will in-effect become a testing ground for the future application of the regulation.
While we are yet to see a company pay any fines under GDPR, AggregateIQ, the firm that processed data for Vote Leave, was hit with the first formal notice under GDPR by the ICO in September. It has since appealed, and the outcome is yet to be decided.
More recently, Facebook opted to appeal its £500,000 fine for its role in the Cambridge Analytica scandal. While tried under previous data laws, not GDPR, it indicates that Facebook is signalling they will not be curtailed by greater regulatory oversight.
The outcome of both appeals will be the first big tests of whether GDPR has given the individual greater power over their personal data.