Other parts of this series:
It’s been a year since the General Data Protection Regulation (GDPR) came into effect on 25 May 2018 and changed the way people and businesses handle the data of citizens within the European Union.
At the time, I wrote a series of blog posts on the implications of GDPR for HR and offered my advice on how to become GDPR-ready and which pitfalls to avoid. I also answered 10 frequently asked questions on GDPR.
In this series, with the help of my colleagues Yorrick Bakker and Alexander Amirzadyan, I will explore the status of GDPR compliance one year later, offer a checklist of how to determine GDPR readiness, and share advice on how to simplify your data regulation compliance journey.
What did regulators set out to achieve with GDPR?
The General Data Protection Regulation applies to all businesses that have customers or operations within the European Union. Its goal is to protect any personally identifiable data of EU citizens wherever it is processed. Failure to comply with data privacy regulation can result in penalties of up to £20 million (~ US$26 million) or 4 percent of total global annual turnover.
When GDPR was first published in May 2016 and the effective date of 25 May 2018 was established, researchers identified three ‘burdens’ that GDPR would have on existing businesses:
- Nearly half of the privacy professionals surveyed in a 2015 Baker & McKenzie survey said that they didn’t have the tools to ensure compliance.
- Fifty-nine percent of respondents believed GDPR would have a moderate impact or would become a global game changer.
- At the time, the estimated cost of compliance for a large company was over £50 million (~$65 million) once-off and a further £1 million (~$1.3 million) a year to maintain compliance.
Now that GDPR has been in effect for a year, have these burdens materialized? Has GDPR become a game changer? Have companies managed to turn these burdens into opportunities, or are they still struggling to come to terms with the regulation? What has been the reality for financial services organizations?
Cookies, cookies everywhere—observations on GDPR
- No huge fines … yet
Regulators have not yet imposed the massive fines that they promised last year. An initial report by the European Data Protection Board shows that European data protection agencies have had over 200 000 reported cases of data breaches and have issued fines to the value of €56 million ($62 million). This may seem like a huge amount, until you take into account that almost all of it comes from French data watchdog CNIL’s €50 million ($57 million) fine for Google. Regulators have warned that 2018 was just a transition phase … with stricter penalties and increased regulatory checks to come.
Other countries such as India, Brazil and China are following in the footsteps of the EU and modeling their data protection regulations on GDPR. India has introduces the draft Personal Data Protection Bill, 2018, which recognizes individual privacy as a fundamental right. China is also tightening its data protection compliance programs, and Brazil’s new General Data Privacy Law is closely aligned to GDPR principles. South Africa has had the Protection of Personal Information (POPI) Act since 2013, but businesses still struggle to understand and comply with regulations.
- Consumers are happy … but also frustrated
GDPR has given European consumers more privacy rights and kept their inboxes free of annoying and intrusive spam messages. However, consumers, companies and regulators have been frustrated by the practical implications of GDPR. Privacy regulators have been overwhelmed by companies panicking and ‘over reporting‘; companies are frustrated by the new bureaucracy that comes with GDPR; and consumers are annoyed by the responsibility of endless privacy-update notices and nudges to ‘opt in’ or accept cookies.
- Businesses are still unclear on what they should be doing
In March, the International Association of Privacy Professionals had a meeting in Boston to discuss how GDPR had turned out after 10 months. Mark Schreiber, Co-Chair of Privacy and Security at McDermott Will & Emery, reflected on previous studies his company has done on GDPR readiness and said he expects that half of companies are still in the process of GDPR compliance and are likely to stay that way for the foreseeable future. “We still have too little time and it’s a year later,” Schreiber said.
Projections for the future
In the year to come, we expect that there will be more regulation and a tighter adherence to GDPR laws. However, this opportunity to clean up your data means that you can use it in creative ways to move your business forward. Those companies that know their data lineage properly have more control over data and its use throughout the organization and by their partners. This means they can truly turn the burdens of compliance into opportunity, for example:
|From burden …||… to opportunity|
|Stricter consent||Maximize marketing opt-in|
|Detailed records on data use||More efficient data operations|
|New categories of personal data||More comprehensive consumer profiles|
|Stricter governance||Value-based data investments|
|Data privacy by design||Improved ROI of new initiatives|
|Accountability for third party sharing||More value from data sharing|
|Minimization of customer data||Reduction of cost and data noise|
|Right to be forgotten||Optimized marketing spend|
Furthermore, companies that are making strides and/or have a plan to follow the regulation will be in a better position to defend fines or issues raised.
In my next post, I’ll provide a checklist to help you determine if your organization is ready for GDPR.
Until then, you can contact me here or on Twitter (@knott_nic) to discuss GDPR, to find out more about digital HR in financial services or to join us at the Change Directors Forum and People Innovation Forum in London.