GDPR 1 Year In: Fact v. Fiction
On the year anniversary since GDPR enforcement went into effect, you may be in a celebratory mood as you reflect on the impact it’s had to the digital ecosystem, or you’re still cursing its very existence. Either way, it’s hard to argue that GDPR hasn’t had a substantial impact in the digital sphere if not by simply elevating data privacy to the forefront of consumer, and businesses, minds.
As we look over the past year, we reflect on what has happened since GDPR’s enforcement started and look to separate fact from fiction. Despite its time in the market there’s still plenty of fiction floating around.
Fiction: Regulators haven’t done anything
Fact: Fines have been levied, with more to come
You’ve probably heard about the recent CNIL decision against Google for a whopping €50,000,000 but unless you happen to work at Google, you’re probably not losing any sleep over this. After all, we all knew Facebook and Google were the first to be targeted by the new laws and we know they have enough money to keep this tied up in courts for years to come.
So what about decisions against smaller players in the market without the size of a legal fund that say Google has?
- Bisnode: Swedish data-analytics firm Bisnode was recently fined by the Polish DPA (UODO) €220,000 for failure to meet the data subject rights requirements under GDPR. The fine isn’t much given the company’s annual revenues of of SEK 3.696 million ($383M USD or €343M), but along with the fine UODO imposed a requirement to reach out to their nearly 6 million users informing them of their rights under GDPR. Bisnode estimates that this will cost them nearly €8M in postage and handling, not including the administrative costs afterwards. Source: TechCrunch
- Vectuary: French adtech company Vectuary sent shockwaves last October when they received notice from the French data protection authorities (CNIL) to fix their consent solution or cease operations. Given their relative size to Google or Facebook, it was unexpected to see a smaller player face stiff regulatory action and it suggested to watchers that authorities aren’t just looking at the Big Four tech companies for enforcement violations. CNIL has recently withdrawn their notice to the firm after being convinced that Vectuary has addressed the underlying concerns around informed consent, but it serves as a reminder that your revenues don’t have to be in the billions to be subject to enforcement.
- Knuddels: German social media site Knuddels was hit with a €20,000 fine after disclosing a breach affecting 330,000 of its users. The German officials took into account the pace at which the firm notified affected users and offered a smaller than expected fine as a result. Like the Bisnode decision, the fine doesn’t account for any administrative, operational, or opportunity costs incurred by having to deal with the violation.
While the fines haven’t quite lived up to the hype of 4% of annual turnover, the activity has been impactful in forcing companies to not only comply but also adjust their existing operations. Like the Vectuary or Bisnode cases illustrate, it’s not the fine that’s going to be impactful, but the upending of normal business processes and operations that will. Regardless of the size of your organization.
Fiction: People DON’T care about privacy
Fact: 61% of consumers make product decisions based on security & privacy
It’s true that there are users that are more comfortable sharing data online than others. But a PWC study found that 61% of consumers take security and privacy into consideration when purchasing products. Assuming one’s level of comfort in sharing details online based on their social media presence is a mistake. Context is important. Sharing photos or favorite restaurants online is different than say sharing medical ailments with advertisers. As outlined in the compliant filed against Google and the IAB Europe, users generally don’t know the amount of intimate data shared with advertisers. Medical conditions, political affiliations, and other highly sensitive data points are regularly collected and transmitted online over advertising networks. As more of this is publicized and regulators take action, consumers will continue the trend towards protecting their anonymity online by downloading ad-blockers or using VPNs. In the months following the revelations of Cambridge Analytica, consumer trust in Facebook dropped by 66% (source). It’s not that people don’t care about privacy; it’s that users don’t KNOW how their privacy is impacted on a day-to-day basis, which was the basis for GDPR’s transparency and fairness principles. That lack of knowledge is rapidly changing.
Fiction: “Our GDPR work is done”
Fact: GDPR is just getting started
This one may be hard to swallow, but the truth is that 1 year in and there are plenty of unknowns about GDPR as it relates to enforcement. As cases and opinions materialize, it’s likely that you’ll need to revisit your initial approach and perhaps even adjust it entirely. We see this as an opportunity to get ahead for what’s likely to be another disruptor to your firm in the ePrivacy Regulation and to brace for any subsequent data privacy laws that emerge globally. GDPR still serves as a model for data privacy laws and it’s likely that follow up laws will follow its principles around fairness, transparency, and disclosure. Staying on top of the latest developments and planning ahead will ensure that you’re not caught off-guard and are ready to adapt.
As we’ve seen by the recent decisions, GDPR enforcement is just ramping up and based on the decisions so far it seems transparency, fairness, and disclosure all remain top of mind in the eyes of regulators. With of course, more to come.