The European Union hasn’t had a particularly enjoyable 2018, but one notable success story involves the introduction of its General Data Protection Regulation. One of the most significant pieces of data legislation ever introduced, GDPR has boosted consumer protection by forcing companies to undertake rigorous data management.
Since GDPR affects non-European companies with customers or intermediaries in these territories, it’s useful to consider what’s changed since it came into effect three months ago:
#1. It has raised consumer awareness.
The Facebook/Cambridge Analytica affair made headlines on both sides of the Atlantic, as the latest in a catalog of data misuse scandals. Email circulars and account notifications in the build-up to May 26th’s introduction raised public consciousness of data privacy – and their legal rights.
#2. More people are reading privacy statements.
We’re all guilty of skipping to the end of certain documents, but GDPR has led to a marked increase in people reading and responding to privacy notifications. This has been reported by a number of leading organizations, including security specialists Symantec.
#3. Unambiguous user consent.
It’s impossible to view the content of many web pages without accepting cookies. This is one of the most visible effects of GDPR, which sets a high standard for consenting to the collection, use and storage of personal data. Pre-ticked boxes and apathy are no longer considered acceptable methods of approval.
#4. Greater online security.
Alongside the requirement to tell consumers how their data is being used and stored, the very definition of ‘personal data’ has expanded. It now includes digital footprints like IP addresses, over and above the sort of material submitted in forms or during ecommerce transactions.
#5. More data protection officers.
Companies with any European audience or consumer base have had to put someone in charge of their data, even as a secondary job on top of existing responsibilities. This individual has to conduct privacy impact assessments, responding to inquiries or requests for data. Speaking of which…
#6. Data inquiries are being addressed more quickly.
If someone lodges a written inquiry pertaining to GDPR, the recipient has 40 calendar days to respond. Breaches should really be reported inside 72 hours. Though there’s no time limit on ‘right to forget’ requests, data must be deleted ‘without undue delay.’
#7. Financial penalties for non-compliance.
Anyone wondering whether the above points really matter should consider the ramifications if a GDPR breach is proved. Fines go as high as €20 million, or 4% of a company’s global turnover from the previous financial year.
Perhaps worryingly, the legal ramifications of GDPR are only just beginning to manifest, including high-profile lawsuits against Facebook and Google. There are also inevitable reports of trolling, as bots flood privacy request portals and criminals try to impersonate unwitting citizens. Further refinement of GDPR is almost inevitable, to alleviate such concerns. Nonetheless, it’s achieved its primary objectives of re-balancing the scales between corporate objectives and personal protection – raising consumer awareness along the way.