GDPR: How Europe's digital privacy rules have changed everything

The European Union's General Data Protection Regulation is only a year old but is already having a big impact.
Written by Danny Palmer, Senior Writer

On 25 May 2018 the European Union's General Data Protection Regulation (GDPR) came into force. At its heart, GDPR set out to update rules around privacy and consent for the digital age and to ensure that organisations are responsible in their handling of their customers' personal data – and that those customers are aware of how their data is being used and that they consent to it.

SEE: My stolen credit card details were used 4,500 miles away. I tried to find out how it happened (cover story PDF) (TechRepublic)

The legislation is designed to ensure that precautions are made to protect personal data, and that if an organisation falls victim to an attack or breach where personal data is accessed, they report it to their customers and the authorities within 72 hours of being made aware of the incident. 

In the run up to the legislation coming into force, companies rushed to improve their processing of personal data, for example getting explicit consent from customers to hold onto their data, or hiring data protection officers to oversee GDPR compliance projects.

SEE: IT pro's guide to GDPR compliance (free PDF)

Why the scramble? The headline-grabbing feature of GDPR was undoubtedly that it introduced the risk of vast fines in the event of a data breach. It allows national data protection authorities to issue huge financial penalties for those organisations found to have been in breach of GDPR, and in particular organisations determined to be completely negligent could face a fine equivalent to four percent of their annual global turnover, a figure that could mean billions for the world's largest firms.

Some believed that May 25 would immediately see data protection authorities flex their muscles and issue fines, and the arrival of GDPR has seen some big fines. Most notably, the French data protection authority CNIL issued Google with a €50m fine for breaking GDPR rules around transparency and a lack of legal basis for processing user data around advertising.

It's the largest GDPR fine to be issued so far, although Google is appealing against the case, but with €50m representing pocket change for a behemoth like Google, some argue that this hasn't gone far enough – or even that GDPR is a damp squib.

However, those who were expecting large fines to be issued so soon after May 25 probably don't fully understand what GDPR is, or the investigations into breach notifications which require a long period of time to come to conclusions.

"There was a false expectation about what the regulatory system could deliver in a limited time period: legal due process means that the Information Commissioner and other regulators have to take time after a problem before they can do much about it, there's law wrapped around that," says Stewart Room, data protection and cybersecurity partner at PwC.

"There's an impression that's been created in society that the regulators aren't doing much, but there's a lot going on behind the scenes. It just hasn't created the big bang explosion of fines yet."

Data watchdogs across the European Union are still investigating thousands of data breach notifications, so it could only be a matter of time before a bigger fine emerges as a result of the new data protection regulation. There's also a risk that the lack of a high profile fine will mean some companies will conclude that GDPR isn't worth worrying about.

"Not that I'm an advocate for significant fines; but there was a lot of fear and scaremongering around the size of the fines which could be issued with GDPR and if that doesn't materialise, there's a risk that companies could put it on the backburner," says Emma Wright, commercial technology partner at law firm Kemp Little.

"This time last year, all people had focused on for the previous five months was GDPR. But the longer we go on without a big fine, the more it'll slip down the order of importance," she warns. 

GDPR, however, isn't just supposed to be a club to beat organisations with; it's there to offer them the necessary frameworks to build data collection policies which not only offer additional consent and privacy to consumers, but if applied correctly, can also help the organisations get more from the data.

For example, in the weeks approaching May 25, consumers became inundated with emails asking them for consent to remain on mailing lists.

It annoyed many people, but as well as driving what could be seen as the largest data privacy awareness initiative ever, it also meant that when consumers chose to opt-in and consent to organisations and businesses using their data, that many organisations now have more useful data than they did before.

Organisations which may have attempted to amass as much data as possible in the hope of making a profit somehow are now generating business with a more tailored list – one which should prove more beneficial in the long run.

"One of the changes we're starting to see is the preference for first-party data, the data which comes directly from the consumer, because you have consent and the consumer trusts you," says Enza Iannopollo, senior analyst for risk and security at Forrester.

"Because of that trust, they're going to provide you with more accurate information, more relevant information - because with consent, if you're transparent and I trust you, more likely I'm going to share more data with you."

This has helped organisations when they've got to grips with GDPR, but 12 months on from the law coming into force – and having years to prepare for it – many organisations are still struggling to ensure everyone adheres to GDPR. 

"There's still a lot of work to do in terms of compliance," says Iannopollo.

"There have been changes around how companies are doing things, but these changes haven't gone as deep into operations as they should," she adds, pointing to how many companies still aren't adequately prepared to sustain data subject requests because they haven't created the correct infrastructure required to do so – something which needs addressing sooner rather than later.

"A lot of this will require the data protection officers to partner with IT, management and business teams in general – it's not possible to run big digital projects without involving your data privacy officer and changing the approach to data and the way to assess risk. A lot of work still needs to be done," she says.

SEE: GDPR: A cheat sheet (TechRepublic)

But it isn't just businesses that are struggling to come to terms with what the reality of GDPR means; some argue that the policy isn't being applied equally across Europe as intended.

"Where in my view it hasn't really succeeded is creating a single level playing field across the European Union for data protection," says Paul Breitbarth, director of strategic research and regulator outreach at privacy compliance software provider Nymity and senior visiting fellow at Maastricht University's European Centre for Privacy and Cybersecurity.

While the European project exists around the idea of cross-border unity, there are elements of GDPR which don't apply across all states: for example, in countries including Germany and Finland, a Data Protection Officer is a requirement for being compliant, while this isn't the case for others. But Breitbarth said GDPR should be applied to the same standards across all EU states.

"You see that in the existing law there are member states where there's some deviation from the EU standard where it's allowed," he says, adding: "From the legislative perspective, the exemptions would be brought back to a bare minimum."

But despite this, Breitbarth argues that GDPR has broadly been a success because it has forced organisations to improve their data privacy practices, while also reminding consumers of their rights.

"Lots of organisations have improved their data privacy practices, reviewing their data retention schemes, reviewing their policies and making sure they're transparent about what they're doing with data and why – that's an important step forward," he says.

Now, because of GDPR, organisations are reaching the point where those at the very top need to be aware of data privacy, compliance and what it means if the organisation is found to be failing in these areas – but it isn't all the way there yet and Room compares the situation to that of cybersecurity a decade ago.

"The biggest lesson of GDPR is that the board isn't buying in a meaningful sense what we have with cyber. It isn't just realising a few million pounds of budget to do a data protection programme, it isn't about hiring a few data protection offers, that's not the board buying in," he explains.

"It's about the board saying, 'I want to own the data privacy myself, I want to understand it and ask hard questions about it' - that's the lesson of the last 12 months."

For the organisations which haven't yet bought in, it could be that it will only be when they – or one of their competitors – are hit with a large fine that they'll starting paying attention.

"Sadly, very often, that creation of change in the corporate mindset is associated with having to suffer pain: that's why GDPR has big fines, to create the pain," says Room. "Unless the pain comes, they will never buy in, because there's the argument around the hype Y2K fostered."

GDPR is very much a European project, but its ramifications have been felt around the world – in the immediate aftermath of it coming into force, European users found that they couldn't access some US-hosted websites. In some cases, this still applies. That's because GDPR doesn't just apply within the EU; if organisations deal with the personal data of EU citizens, then even if they are based somewhere else in the world they could well be defined as a data controller or data processor and will still have to take privacy legislation into account.

SEE: What is GDPR? Everything you need to know about the new general data protection regulations

But some of Silicon Valley's most powerful corporations already appear to be preparing to operate in a world where greater levels of transparency and privacy must be applied to data.

Just this month, Google announced that it will only be holding location data on devices for a certain amount of time before it's deleted, while Facebook's Mark Zuckerberg has started to talk up the importance of privacy. Not everyone is convinced.

"It's too little, too late. Many of these tech giants are trying use privacy to fill headlines and say privacy is important to us. But I struggle to understand how their processes, and how they treat data, could be changed so quickly," says Iannopollo.

And there are now a number of similar new privacy legislation efforts around the world, with countries like Brazil, South Korea, Japan and India now all preparing their own laws around data protection, while California – home of Silicon Valley – is also set to introduce its own California Consumer Privacy Act. These probably wouldn't be so high on the agenda if GDPR hadn't come along first.

"In the longer run, what I suspect we'll see is a higher level of privacy globally. Because, whether you like it or not, GDPR is setting a new global standard for privacy and data protection compliance and you see that more and more countries are following at least some elements of GDPR," says Breitbarth.


Editorial standards