Saturday marks the first anniversary of the European Union’s General Data Protection Regulation (GDPR) finally coming into force.
GDPR was heavily hyped up, with many hoping – or fearing – that it would fundamentally change not only how companies handle people’s data, but also how consumers view their online interactions with businesses. Anyone with an email account became aware of GDPR, thanks to the dozens (if not hundreds) of messages that landed in their inbox from firms begging for consent to retain their data.
It’s now been a year, and apart from the annoyance caused to consumers by international webpages blocking traffic from Europe or consent banners popping on every site, have these new rules had any impact?
A flurry of fines
In short, yes. There have been over 200,000 complaints sent to authorities, 65,000 data breach notifications, and regulators have handed out GDPR fines totalling €56m (£49.4m) – though the majority of this was a single €50m penalty handed to Google in January.
The figure of €56m may seem low considering the buildup prior to May last year and the fact that GDPR’s scope effectively covers any company in the world handling the data of European citizens. But there are several major investigations currently ongoing, and officials have said that there will be more announcements later this year.
“It’s likely that we’ll see financial penalties surface in the next few months, however, it’s difficult to predict the size of these,” says Peter Church, counsel in the technology practice at Linklaters. “What businesses need to consider is not just the cost of the fine, but also the associated steps they will need to take to become compliant, which will be expensive.”
Know your rights
And now that the dust has settled, other governments around the world may soon adopt similar rules to GDPR, according to Chris Hodson, chief information security officer at Tanium.
“Norway, Iceland and Liechtenstein have adopted GDPR by proxy as European Economic Area members,” he says. “Further afield, California has introduced its own Consumer Privacy Act, and the EU has accepted the adequacy of Japan’s amended Act on the Protection of Personal Information legislation under GDPR, allowing the free flow of information between the two regions.
“Although privacy regulation is still evolving, it’s encouraging to see governments around the world building on GDPR by addressing the widespread availability and abuse of individuals’ personal information.”
Beyond changes to the regulatory landscape, perhaps the most important thing that’s changed over the last 12 months is people’s attitudes. GDPR, along with major events like the Cambridge Analytica data scandal, has helped to raise consumers’ awareness of not only how much data they are producing, but also what companies might be doing with it.
“GDPR has had a profound effect on societies’ approach to data,” says Derek Roga, chief executive of EQUIIS Technologies. “The public are now more aware of the types of data they are creating and sharing on a daily basis. The simple task of ticking (or not ticking) a disclaimer before people enter a website in Europe has played a key role in elevating the general understanding of what personal data actually is.”
Not only that, but GDPR has given people practical tools to hold companies to account and protect their privacy. The most high-profile example of this happened earlier this month, when it was reported that Prince Harry had used GDPR to help win a legal battle with the paparazzi agency Splash News.
According to Sarah Armstrong-Smith, head of continuity and resilience at Fujitsu, this was the best testimonial that GDPR could have hoped for.
“It shows that the system is working, and that all citizens have a right to protection when it comes to privacy, including royals and celebrities,” she adds. “This is a powerful new weapon that reinforces one message: people’s privacy isn’t something to be mistreated or abused.”
Trust in trouble
People are certainly more aware of their rights, but GDPR has had an unfortunate side effect – it has eroded the public’s trust in businesses.
A report released this week by the Institute of Customer Service revealed that 64 per cent of the country cannot name a single organisation that they trust to handle their data, and a quarter of customers won’t share any of their personal information with organisations.
Joanna Causon, chief executive of the Institute, describes these findings as “alarming”. She points out that businesses can use customer data to provide customers with truly personal experiences, but doing this is now much more of a challenge thanks to GDPR and the public’s lack of trust.
Of course, companies have not done much to restore the public’s faith. In fact, it’s been 12 months since the launch of GDPR, and many businesses remain unprepared. Andrew Beckett, the managing director of cyber risk at Kroll, thinks that many firms still lack adequate cyber security, while Matthew Overton from Joelson says his law firm is still regularly approached by organisations that are not yet compliant.
This lack of trust could become a major issue in the months and years to come. After all, while a degree of scepticism is healthy, a blanket distrust of anyone trying to collect and use data is not – it will make it harder for businesses to be more productive, efficient, and provide goods and services that consumers actually want.
Instead of reassuring consumers that their data will be protected, GDPR has added to public anxiety over the issue – in fact, a survey by IDEX Biometrics found that 84 per cent of UK consumers don’t think that the regulation has been effective.
In order to protect our privacy, GDPR has further damaged the relationship between consumers and enterprises. That’s probably not what it wanted to hear on its first birthday.