Two years of the GDPR - the good, the bad and the future
Chad McDonald, Digital.ai, Vice President, 15 June 2020
Just over two years on from its introduction into law on 25th May 2018, the European Union's General Data Protection Regulation no longer dominates the business agenda as it once did. However, it has had a lasting effect on the way businesses think about and use personal information.
Perhaps the greatest achievement of the GDPR is its success in advancing people's awareness of data privacy among consumers and businesses alike. From a business perspective, all organisations have had no choice but to take a proper look at their data-handling policies and make a concerted effort to get them in line with the regulatory demands.
In early 2018 when the deadline was looming, I was constantly speaking to companies who had no real idea about which data was compliant and what they should do about it. Two years on, this has simply become part of normal business. Although it took a legal edict and the threat of fines to make this happen, it can nevertheless only be a good thing.
We have also seen an impressive shift in awareness on an individual level. Having worked in cyber security for many years, I had grown used to the fact that few people outside my field and my immediate contacts would have much regard for data security and privacy. Today, most people in any given business have a working understanding of the nature of the GDPR and the average consumer has at least have some awareness of it. At this point, the level of awareness is already comparable to something like the US’s Health Insurance Portability and Accountability Act (HIPAA), which was introduced many years ago.
Setting the global standard
Alongside its impact inside the EU, the GDPR has also made waves around the world and has set off something of a data privacy revolution. Many countries have now either published their own privacy regulations or are in the midst of the lengthy process of drafting and enacting them. India and Brazil, for example, are in the final stages of ironing out their own laws.
In the United States one of the most notable examples is the California Consumer Privacy Act (CCPA) which came into force in January. Similarly, although not strictly a privacy regulation, the recently enacted NY SHIELD Act has built on the baseline set by the GDPR to define the phrase "data breach" and set out the ways in which firms must notify involved parties. We will certainly be seeing more new laws in the next few years. The GDPR has set the standard for data privacy and many of these new regulations are explicitly using it as a basis.
Room for improvement
Although the GDPR has succeeded fully in forcing companies to take data privacy more seriously, the last two years have not been without their problems. One common criticism of the regulation is that its enforcers have failed to levy the much-discussed fines that drew so much attention before its launch.
The DLA Piper GDPR Data Breach Survey 2020, which collated data from the period between May 2018 and January 2020, estimates that around €153 million in fines has been paid so far, discounting some notable cases such as British Airways and Marriott International which are still underway.
Although the GDPR has always prioritised the worth of good practice over punitive action, a greater degree of high-profile cases might have spurred more businesses to take it seriously and go beyond the minimum required for compliance.
It should be noted, however, that the handling of specific GDPR violations is the job of national regulatory bodies. Many regulators have chosen to handle cases without punitive fines – Holland, for example, has by far the highest number of reported data breaches over the last two years but its regulator has not imposed correspondingly heavy fines.
As with all new laws and regulations, there are also some areas of the GDPR that could do with further refinement. For example, the regulation in its current form is causing significant issues for some areas of research. The stipulations of the GDPR make it much more problematic for researchers to collect, store and analyse large data sets for long-term studies. I hope that the coming months and years will see revisions to the regulation that make it easier for financial researchers and others to do their jobs effectively without constantly running the risk of being found non-compliant.
What does the future hold for the GDPR?
With the economy and the world at large still reeling from Covid-19, data privacy is unlikely to be high on the business agenda for some time. Indeed, the UK's Information Commissioner's Office has recently announced that it will offer extended deadlines for firms struggling to meet certain requirements such as responding to DSARs (data subject access requests) during the crisis. Although this decision has left a bad taste in the mouths of some security and privacy people, there is also much to be said for granting leeway to firms that are already on the brink of collapse.
Ironically, at the same time, HM Government itself has recently been reported to the ICO for its Track and Trace Covid-19 monitoring system because some say that it cannot keep data secure and private. However, if it handles the complaint, the ICO might have to set a difficult precedent.
The GDPR also faces an uncertain future in the UK due to Brexit. It remains to be seen how the final exit will affect the regulation, but it is likely that the UK will replace it with its own version at some time in the future. However, this is unlikely to deviate too significantly from the standard set by the GDPR.
Nobody knows exactly how many privacy-related regulations the GDPR is going to inspire. Although most are using it as the gold standard, there are still many differences in approach emerging that will cause plenty of headaches for businesses that operate worldwide. In the United States alone, for example, the NY SHIELD Act defines the term "data breach" more widely than the CCPA. This means that financial firms with customers in both states will have to tailor their responses to specific customers, while also accounting for the GDPR and a kaleidoscope of overseas regulations for their international customers.
Nevertheless, the GDPR has indubitably won the main battle of putting privacy on the compliance agenda. Now that it is ingrained much more firmly into the business culture and operational practices of most companies, it is hard to look at it as anything less than a success.