The General Data Protection Regulation (GDPR) went into effect on 25 May 2018. The data privacy law applies not just to large, global companies but to businesses of any size that hold and process data of EU citizens irrespective of its geographical location.
The main aim of GDPR is to harmonize the disparate data privacy laws across Europe, protect the personal data of EU citizens, and transform how organizations think and manage personal data.
Since it’s a regulation, and not a directive, EU member states cannot pass legislation to enable the law. GDPR became applicable and legally binding to all EU member countries on 25th May 2018.
Now that we are three months into GDPR, it’s worth asking whether it has made any difference, or was it just a big hype not unlike the Y2K.
Here we will look at whether and how the data privacy laws have made a difference on the way data is handled from companies and customers point of view.
The Impact of GDPR on Companies
GDPR was introduced to bring transparency in the digital economy and help support the data privacy rights of individuals residing in the EU.
The UK government has introduced a new Data Protection Act in 2018 that has the same provisions asin the GDPR albeit with minor changes. This means that even after Brexit, companies that handle personal data of British residents will have to follow the provisions of the regulations regarding data privacy.
The GDPR has introduced a class action lawsuit model allowing privacy activists irrespective of the location of incorporation to sue and collect fines on behalf of their clients. This is unlike the patent troll abuse of the IP rights regime.
There have been more than 100 GDPR data breach notifications in Austria, while the complaints in France has increased by over 50 percent as compared to the previous years. The UK’s Information Commissioner’s Officer has also confirmed an increase in breach notifications and complaints. But till date no penalty has been meted out to the alleged guilty parties in the past three months.
Max Schrems an Australian privacy campaigner filed a lawsuit of around $8.8 billion against Alphabet Inc. — parent company of Google — and Facebook Inc. for violation of the EU data privacy rules. Schrems alleges that these companies despite their convictions of conformance were not even trying to comply with, let alone hide their noncompliance with the GDPR.
Moreover, according to a research carried out by Catchpoint the page load speed of EU version of the US based websites has decreased after implementation of the GDPR.
For instance, the UK and French version of the USA Today had a load time of just 0.42 and 0.75 seconds, respectively as opposed to a load speed of 9.86 seconds for the US version. The faster load times were attributed to the removal of third-party services such as ad servers, social media plugins, and Google analytics in EU websites.
Another research report that was consistent with the above discovery was from analytics firm Ezoic that found the ad rates have increased in the US, while it has decreased in Europe after GDPR implementation. One explanation for this is that advertisers have started pulling online inventory from the EU and investing in the US.
The Impact of GDPR on Customers
After the introduction of the GDPR, a lot of international organizations blocked access to European visitors. Over 1,000 websites mostly US-based websites were unavailable to EU readers after the data protection laws went into effect. Some online gaming firms such as Ragnarok have also blocked access to their services in the EU citing increased costs due to GDPR compliance.
In addition, there has been another unintended consequence of the GDPR laws — ‘checkbox’ fatigue.
Residents in the EU are presented an opt-in consent frequently on online apps and website. If they don’t read and check the box, they can’t access the content. A lot of users are just checking the box without reading thereby waving their privacy rights. A by-product of this is poor customer experience, which could hurt online company’s brand image and consequently revenues.
Verdict on GDPR — Long on Speculation Short on Reality
The GDPR was introduced to preserve the privacy of the resident’s personal data. However, after three months into the introduction, it seems it has not had the intended effect.
To a large extent, GDPR appears to be a hype similar to the Y2K that came and passed without making any significant impact on data protection. While there was a frantic scramble by organizations in the 12 months prior to GDPR enforcement, but the sheer scale and costs required to become compliant has forced most companies to adopt the Pareto (80/20) rule – do the minimum to remain compliant.
Unless companies that violate the rules are caught and are made an example, the use and abuse of personal data will remain unchecked.
The biggest shortcoming of GDPR is that it has failed to make the general public realise the importance of the privacy of their personal data. Although some online consultants advise customers on how to become GDPR compliant, there is hardly any communication to the general public on the importance of personal data remaining personal.
That being said, there have been certain positive aspects of the GDPR as well that are worth noting. Companies have started making efforts to ensure protection of residents’ personal data. For instance, Facebook has recently introduced the ‘Clear History’ feature that allows users to identify and remove third party sites and apps that access personal information.
In addition, many online companies have hired security specialists including data protection officers to avoid harsh penalties. The law has encouraged companies to upgrade servers, networks, and infrastructures to protect against potential data breaches. The enhanced data security measures will inevitably benefit the companies in the form of a loyal customer following in the EU due to increased trust.
So, both the positive and negative rhetoric can be associated with GDPR. Whilst GDPR is a regulation in the right direction in our data fuelled economy, most companies are adopting the wait and watch policy preying on the ignorance of the general public. Like all regulations, its power comes from the general public being aware of their data privacy rights and taking the organizations that violate the law to task. As long as the general public are happy to waive their privacy rights, GDPR can do very little to transform the data culture within an organization.