Want to feel old? Here’s some news for you – the GDPR is turning one in a few days!
It’s hard to believe that one of the biggest, most polarizing and all-encompassing pieces of legislation has already been in force for an entire year. And, as I've discovered, it’s even harder to be compliant with it.
Although aimed at tackling violations against personal data of the subjects and protecting consumers across the European Union, since its launch on May 25th 2018, GDPR has been resonating across the globe.
Many regions and countries are adopting similar provisions into their legislative systems (the CCPA is one of them) because privacy and data protection are issues faced by people all over the world.
So, it looks like organizations all over will have to learn all about data protection in the age dominated by technology. And that applies to giants like Facebook and Google, too, if the fines they’ve received are anything to go by.
Despite the global trend towards data protection, only about 50% of organizations can say that they’re currently compliant with the GDPR, according to McDermott Will & Emery Co-Chair, Privacy and Security Mark Schreiber.
As he mentioned at the IAPP Knowledge Meeting in Boston recently, “it will likely go on for another couple of years”. The complexity of the law and lack of a clear guidance from the European institutions, the high costs associated with compliance that not all companies can, or want to bear, the lack of harmonization of GDPR implementation in different Member States – all of those issues, and then some, have been the cause of why GDPR’s first year has not been smooth sailing.
Love it or hate it, the GDPR law certainly made some headlines over the last year. The Irish Data Protection Commission recently released its first report of the results of data protection imposed by the GDPR. I've checked it out – you can find some of the statistics for 2018 below, just to give you an overview of the law’s impact:
- 4,740 breaches were reported to the Data Protection Commission in 2018 – a 70% increase from 2017;
- 4, 113 complaints – a 56% increase from 2017;
- 136 cross-border processing complaints, 27% of which relate to consent;
- DPC received 900 notification of Data Protection Officers’ appointment – a mandatory GDPR provision for most organizations;
- DPC hired 50 new people and is expected to hire 30 more this year to meet the demands of the law.
This is only a small extract from the report which is a comprehensive overview of the GDPR’s first impacts. More information is available here.
The Irish authority, in line with the law’s overall objective to protect personal data in the digital age, has established a technology leadership unit (“TLU”). This unit’s purpose is to help the body assess the risks of systems and technology and compliance of data controllers.
If these statistics seem staggering, you’d be surprised to learn that Ireland isn’t even in the top three jurisdictions for the GDPR complaints. The leaders are the Netherlands, Germany and the UK. In the first eight months since the law’s been in force, there have been 15,400, 12,600 and 10,600 breaches reported in those countries, respectively. This data comes from a report commissioned by DLA Piper law firm, available here. Overall, the number of breaches was over 60 000 in that time period. The survey was commissioned by the firm in February, however, so those numbers have definitely increased since.
So, clearly, the targets of the GDPR’s wrath weren’t ready for it. But were the people that it was supposed to protect? We’ve taken a look at the outcomes of the law so far.
The post-GDPR era has certainly increased the awareness of people in relation to their personal data. They might have been irritated at the number of e-mails from various sites, but at least they knew about what the e-mails are about. And I've mentioned the complaints lodged with the data protection authorities earlier – you can see the numbers for yourself.
These statistics are valuable information for consumers because it can increase their awareness of how deep the problems with personal data protection go. And not just in the European Union – this example of a successful breach-reporting framework can be instructive to the US and other jurisdictions. The California Consumer Privacy Act (CCPA) and the LGPD of Brazil are only some of such cases. Such a framework means a lot more transparency in reporting the breaches.
Another thing the GDPR has exposed to the people is how much personal data is actually used and stored by the companies that they had no idea about. It’s not a new revelation – for instance, Facebook had its fair share of privacy scandals before the GDPR was in force. And who can forget the “let’s find out how much Google knows about you” guides?
The tech giants have never shied away from using the consumer’s data that they willingly provide to target ads and make money. I've previously talked about surveillance capitalism and how personal data has become one of the biggest commodities today. The GDPR attempts to give back the control over personal data to consumers and let THEM – let US – decide the extent to which we want our data mined for cash. The law requires organizations to use simple language to explain how they handle data, get explicit and affirmative consent from the data subjects, provide them with information about what happens to their data and delete upon request.
It goes without saying that privacy in the digital age was one of the regulators’ biggest concerns when the decision to implement the GDPR was made. “Privacy by design” is one of the law’s central concepts. It follows that non-implementation of measures to protect the consumers’ privacy makes a company’s business model inherently flawed.
This is certainly a positive step towards fostering privacy culture and thus increasing a consumer’s level of trust. If a brand puts effort into ensuring it remains privacy-conscious and prioritizes the protection of its customers’ data to the extent that it is an integral part of their USP, that brand would most definitely retain more customers in the GDPR era than its competitors who don’t care about privacy.
One way to ensure “privacy by design” can be the implementation of Data-protection-as-a-service which I covered earlier this month.
However, the EU-wide framework that the GDPR has attempted to establish is far from uniform across the board. The EU Member States have each interpreted it in their own way. For instance, another thing the GDPR hasn’t quite managed to get right is the fines. They may seem very high – 4% of annual turnover but no less than 20m EUR (whichever is higher!) isn’t a small figure.
But one needs to remember that it is relative. The GDPR doesn’t differentiate between EU start-ups focused on greener living and tech giants like Facebook and Google. The French data protection authority did fine Google earlier this year for 50m EUR, but the corporation made over $33bn last quarter alone. So, for Google, 50m EUR isn’t a massive sum when you compare it against its profits.
For a small business, though, a sum of 4,800 EUR can be substantial. That’s the sum an Austrian entrepreneur had to pay in October 2018 for having a CCTV camera in front of his establishment. The Austrian data protection authority believes the fines should be proportionate – and yet, that’s not the official stance of the GDPR.
The lack of uniformity and harmonization in its implementation into national legal systems of the Member States isn’t going to do the concept of proportionality any favors either when it comes to the issuance of the fines. There’s nothing in the law that would make a lawyer or a data protection authority official conclude that a mid-sized cloud solutions company based in Germany and a company of the same size in Croatia would receive the same fine for a similar privacy breach.
There might be guidance in place that enables the authorities to take into account all the circumstances when assessing the severity of a breach, but there is no uniform approach to how the decisions are to be treated. We will most likely get some guidance in the next year or so from the relevant European bodies, but who knows what it’d look like. A lot of companies would surely be hit by then. Considering breaches on a case-by-case basis is well and good, but it doesn’t harmonize anything.
Finally, the law might provide a strong and transparent mechanism for breach reporting, and tries to minimize the possibilities of personal data losses and leaks, but at the end of the day, technology moves much faster than any law. New hacking techniques are invented every day, and the news about cybersecurity breaches are getting to be more and more commonplace. Privacy by design is an excellent idea, but there is no such thing as a “perfect system”. All we can do is minimize and mitigate the negative consequences of a violation. The GDPR attempts to do that, but it’s only law, not a technical data protection solution with a 99.9% KPI.
The law did, however, provide a lot of new business opportunities for DPaaS start-ups, cyber insurance companies, and privacy lawyers. They’ve been quite busy this last year with the why’s and the how’s of the law’s application. It’s worth noting one particular group of organizations for which the GDPR is still a murky area, and that’s the Small and Medium Sized Enterprises (SMEs).
Earlier, I mentioned the fine issued to an Austrian entrepreneur. He was one of the SMEs that failed to comply with the GDPR in time. And he’s definitely not the only one.
According to the statistics, 96% of the SME owners in the UK alone don’t know that the maximum GDPR fine in percentages of global turnover. Taking into account that figure, combined with the extremely percentage of the SMEs that know what rights the GDPR gives to consumers, we can conclude that we’re a long way away from the small and medium enterprises being fully compliant. Even if the fine is lower tier, it could still cripple an SME quite substantially.
GDPR compliance isn’t cheap. The full costs can include:
- IT risk assessment;
- Recruitment and salary of a Data Protection Officer;
- Cybersecurity insurance;
- IT solution for secure data storage.
There would be other, industry-specific costs involved. At first glance, it seems a lot for a small enterprise to bear. But once again, what the SMEs mustn’t ignore, are the costs of non-compliance.
This is another flaw of the GDPR. It doesn’t exempt the smaller companies operating in digital space from the wide breadth of fines a regulator can impose. That can be particularly risky for B2C start-ups, for instance.
Unfortunately, the regulators failed to account for the fact that not every business owner can afford a privacy lawyer or has the skills to understand a large piece of legislation, especially if they have no legal background. Since the statistics say that 96% of UK SMEs don’t know how the fines work, and 9 out of 10 have no idea of the rights it gives consumers, it’s very safe to say that they’re non-compliant. But can we really say that it’s their fault for not getting the message?
Perhaps it should have been communicated in a way that’s clear to everyone. And the UK isn’t alone in those statistics either.
So what now?
Did the GDPR manage to give the people back the control of their personal data in a year?
Well – not exactly. But it did raise a lot of awareness, judging by how many complaints were filed. And one can’t expect the people to be completely in control over the course of only 12 months. We can say for sure that consumers now understand how their data is treated a lot better than before.
The business community, however, is another story. The law might have been drafted well enough (debatable), but it doesn’t mean it had gotten the message across. The statistics tell a story opposite of what the regulators had intended. Perhaps in a year or two, we will see different results, after some guidance is issued on how privacy by design is actually supposed to work and be enforced, both in the EU and internationally.