GDPR: What's really changed so far?

Two months on from the introduction of GDPR and the new privacy rules have started to have an impact.
Written by Danny Palmer, Senior Writer

The European Commission's General Data Protection Regulation (GDPR) officially came into force across the European Union on 25 May, with the aim of bringing laws and obligations around personal data, privacy and consent up to date for the internet age.

While organisations had years to prepare for GDPR coming into force, many appeared to panic, with internet users finding that throughout May, their email inboxes were jammed with messages from companies asking them to opt-in to keep receiving emails and provide permission for the organisations to use their data.

But, after the flurry of emails before 25 May, afterwards it all seemed to go quiet. So while GDPR might be benefiting consumers by emptying their inboxes of unwanted mail, when it comes to businesses, what's happening with GDPR now?

This rush to ensure that users gave their consent to organisations was tied into the most highly publicised element of GDPR: that businesses must ensure that they're compliant with the data legislation in order so that the data of consumers is kept safe.

But in the event of data being breached, stolen, or otherwise misused and the organisation is found to be non-compliant with GDPR, they risk fines from the European Union of up to four percent of global turnover. While it's too early for any of these fines to have been imposed yet, making sure their systems were up to scratch continues to be a big project for many businesses even though the initial deadline has passed.

SEE: What is GDPR? Everything you need to know about the new general data protection regulations

Away from the headline-grabbing prospect of fines, GDPR has started to have an impact on organisations elsewhere -- and it isn't just limited to Europe, as any business which has operations within the EU must be compliant.

That means the likes of Google and Facebook have found themselves having to take GDPR into consideration. It's something Google CEO Sundar Pichai says the company has been working on for a long time -- at least 18 months.

"For us, it's been super important to get it right, and we've always been focused on user privacy. But it's been a big change for a lot of our partners as well, and so we are working closely with our partners and regulators and committed to doing it right," he said on a recent earnings call, but added "it's too early to tell" when it comes to how it has directly impacted users -- and its revenue.

Meanwhile, Facebook has seemingly blamed GDPR for a decline of about a million monthly active users across Europe during the last quarter.

"It is worth noting that MAU and DAU [daily active users] in Europe were both down slightly quarter-over-quarter due to the GDPR roll-out," said Facebook CFO David Wehner, speaking on a recent earnings call.

In addition to the numbers of monthly and daily active users going down, Facebook has partially blamed a slow down in advertising revenue growth within Europe on GDPR.

"European ad revenue growth decelerated more quickly than other regions and was impacted primarily by reduced currency tailwinds and, to a lesser extent, the roll-out of GDPR," said Wehner.

The company has attempted to shrug it off as insignificant in the global scheme of things, but also seems to be prepared to take a larger hit in future as a result of the data protection laws.

"GDPR has not had a significant revenue impact, but we also recognize it wasn't fully rolled out this quarter," said Facebook COO Sheryl Sandberg.

"But as we look further out, we recognize that there's still risk, and we're going to watch closely. Advertisers are still adapting to the changes, so it's early to know the longer-term impact," she added.

The introduction of GDPR has changed how Facebook and many other organisations now have to do business.

For years, businesses were able to keep data about customers -- even those who hadn't used the service for a long time -- on record for years. But when GDPR arrived, suddenly these organisations had to ask users if they wanted to opt-in into services.

SEE: GDPR: A cheat sheet (TechRepublic)

While some users will have chosen to give their consent, many will have withdrawn it and others may not have been able to explicitly give it as emails were lost in old in-boxes or junk mail folders -- for organisations, that led to the same result as opting out.

"The opt-in environment can only have reduced business volume in the activity of direct marketing -- it can't have made it go up, it can only make it go down," said Stewart Room, lead partner for GDPR and data protection at PwC.

"What it has done is it's increased awareness. There was more outreach done on data protection in the months of May and June 2018 in Europe than has ever been done in the entirety of the world in the history of data protection," said Room.

While there's a focus on organisations like Facebook and Google which are well known for using data as a product for generating revenue, they're far from the only ones which have been hit by GDPR.

"Many companies have reported a decrease of about 25 percent to 40 percent of their addressable market. These are customers or prospects that have not given their consent to receive marketing communication or be profiled," said Enza Iannopollo, senior analyst at Forrester.

And it isn't only within Europe that GDPR has led to users withdrawing or being more cautious about consent.

"Our data shows that 1 in 3 US adults refused to complete an online transaction because they read something in the privacy policy that didn't resonate with them," she added.

Some companies are still trying to decide how to tackle GDPR; publisher Tronc is now not displaying some content to users in Europe, pointing to GDPR as the reason.

"Unfortunately, our website is currently unavailable in most European countries. We are engaged on the issue and committed to looking at options that support our full range of digital offerings to the EU market," says a statement on the Los Angles Times and other Tronc websites -- and that statement has remained the same since May 25.

GDPR coming into force on May 25 wasn't a one-off event -- organisations need to continue to ensure they are compliant with GDPR and just assuming this is the case of forgetting about it is likely to end up with them being found to be non-complicit in the future.

"Don't assume GDPR is a damp squib because you haven't been caused pain, if you stop paying attention, you risk paying the price in the future," said Room.

And for those organisations which have opted to just ignore or abandon their European markets for now, that's unlikely to be sustainable in the long-term: California, Brazil and Australia are just some of the regions that have introduced or are examining the introduction of new privacy legislation.

Those organisations which decide to simply shut themselves from regions with privacy legislation could therefore quickly find that they have nowhere to go.


Editorial standards