The General Data Protection Regulation (GDPR) was created to protect the privacy of individuals within the European Union (EU), providing new rights to know what information is collected and how it is used and shared, as well as the right to correct and delete data. One year in, what have we learned about how GDPR requirements have affected organizations, and what still needs to be improved?
Breaches Are Now Public Knowledge
The GDPR expanded the definition of “personal data” and imposed stricter security on data processors and controllers. In addition, organizations now have a 72-hour window in which they must notify the supervisory authority in the event of a breach.
Since many EU countries did not previously have a breach notification requirement — or one that is as strict as the GDPR version — the result has been a spike in breach reports. Reporting was spotty prior to the GDPR, so there’s no real way to know if the frequency of breaches has actually gone up. Instead, all we can know is that those breaches are now popular knowledge, rather than hidden away. The reporting also provides better insights into the types of incidents, locations and severity. According to the European Data Protection Board (EDPB), of the 281,088 “cases” reported by Data Protection Agencies (DPAs) in 27 European Economic Area (EEA) countries, 89,271 were data breach notifications.
Complaints Are on the Rise
Now that the information about breaches is more available and the GDPR has received a great deal of news coverage, consumers are more aware of their rights and complaints against organizations are accumulating. In the first year of the GDPR, 144,376 complaints were received, including complaints about the ability to access data and prevent processing, as well as concerns about unauthorized processing and disclosures.
As consumers feel more empowered, they may expect more from the organizations they interact with, including visibility into how their data is used and how it is protected. They may naturally move away from companies that breach their trust, whether intentionally or inadvertently. In fact, a KPMG study found that 19 percent of consumers would stop shopping at a retailer that had suffered a breach from hackers.
Trust Is at Stake
Consumers are now more aware of how their data is being used and misused due to news reports on highly visible breaches and the questionable actions of social media platforms. In the U.K., research from the Information Commissioner’s Office (ICO) found that only 1 in 3 people surveyed trust organizations to handle their personal data in accordance with law.
As consumers become more concerned with protecting their data, they are also more likely to lose confidence in brands that are accused of malfeasance, and that loss of confidence can damage brand reputation and have an impact on an organization’s financial outlook. While noncompliant organizations may face a loss of consumer trust, the converse is also true: Those that focus on building trust may perform better financially and may find it easier to hire and keep talented staff, since trusted organizations are more likely to be sought after and recommended as potential employers. Trust can be seen as a competitive edge as consumers and regulatory bodies demand more accountability.
More Legislation Is Coming
With the accumulation of data around breaches, complaints and penalties levied, other governments are assessing the effects of the GDPR and starting to enact their own regulations. Some of the new legislative efforts are at the national level, while others are at the state level. The reporting out of the EU underscores the value of a coordinated, consistent, overarching policy in terms of visibility and enforcement. Prior to the enactment of the GDPR, regulations in the EU were a patchwork, and a similar state-by-state patchwork of legislation is currently being developed in the U.S., which may result in conflicting or complicated compliance requirements.
Meeting the Requirements Is a Challenge
As they prepared for the 2018 enactment of the GDPR, organizations were tasked with assessing their compliance capabilities and taking steps to adjust or adapt to meet the requirements. The first steps are usually to identify gaps and determine steps for remediation. For many organizations, this meant gaining a better understanding of their own systems to find relevant data, ascertain how it is managed, stored and protected, and determine what steps must be taken to achieve compliance.
This process could be lengthy in terms of unraveling complicated business processes, assessing solutions based on needs, and putting those solutions into place. In a survey released in April 2018, many respondents stated that they saw GDPR compliance to be as difficult or more difficult than meeting other privacy and security requirements. Likewise, 47 percent did not know where to begin in the process to achieve compliance with the GDPR. Many organizations are still working on GDPR compliance and are not equipped to do the forensic work required to manage and report on breaches.
Organizations that rushed to get ready for GDPR using manual methods such as spreadsheets and questionnaires are now seeing the need to automate to keep records updated and reduce administrative overhead. Now, as other regulations, such as the California Consumer Privacy Act (CCPA) and Brazil’s General Data Protection Law (LGPD), come into effect, it can be challenging to manage a patchwork of regulations without using automation such as classification to locate personal data.
Fines Are Slow in Coming
The data on breaches and complaints indicate that the regulation has had good success highlighting these issues. However, there has not been as much emphasis on levying fines against organizations that haven’t taken the proper steps to protect personal data.
In the initial nine months of the GDPR, total penalties imposed were nearly 56 million euros. That may seem like a large number, but 50 million euros of that came from one fine levied against Google. As of early 2019, many organizations were not being fined for their failures, and the fines that were being imposed were small enough that they may have no punitive effect on the impacted organization. It is possible that this first year was considered an amnesty period, and that more fines can be expected over the coming years, but it also bears noting that many regulatory groups found it difficult to manage the number of cases coming in — they were understaffed and overwhelmed.
It’s clear that the GDPR isn’t the last word on privacy; more regulations are being enacted all over the world. Consumers are demanding greater accountability and governments and organizations are taking notice. Changing behaviors takes time and effort and can feel challenging, but organizations that can leverage their trustworthiness as a differentiator are positioned to be rewarded by consumers who have a better understanding of how their data is being used.