GDPR’s stringent regulations have ensured businesses can no longer be ignorant about how they obtain, process and store data. Now businesses need to have a legitimate reason to collect and use data. They also need to delete the data once its intended purpose is over. Above all, GDPR seems to have given consumers complete control over their personal information. All this looks promising on paper.
But what exactly did the introduction of GDPR do? Let’s find out.
Impact 1: Global companies have started extending some of the benefits of GDPR to its worldwide users.
GDPR has no intention of protecting the personal information of people living outside Europe. But companies like Facebook, have already extended the European privacy controls to their users around the world.
If they didn’t, they would have to maintain different data protection regimes for different regions. And this would only make data protection more complex. Also, there’s the catch of attracting negative PR. If a company regards one region’s privacy to be more important than the others, what picture does it paint?
Moreover, countries around the world are looking to follow the footsteps of GDPR with their own data privacy legislation.
Brazil’s Brazilian General Data Protection Law (LGPD), the California Consumer Privacy Act (CCPA), and India’s draft Personal Data Protection Bill are all indications that more such privacy laws are going to spring up in the future.
Impact 2: Demand for Data Protection Officers has skyrocketed
The presence of a Data Protection Officer (DPO) is a crucial requirement to comply with GDPR. Though it’s not a new title, the introduction of GDPR has led to an enormous rise in the number of job postings for the role.
Back in 2016, there were 13 DPO job postings per million job postings. By the end of October 2017, there were 102 DPO job postings per million job postings – a 692% increase in 18 months.
Cut to 2019. There are now half a million DPOs employed compared to the 75,000 – 83,000 that had been estimated back in 2017.
Impact 3: Increased Spending on GDPR
The budgets that companies have been allocating for GDPR has been huge. Large European Union (EU) companies collectively spent about 1.1 billion dollars on GDPR compliance. Top US companies such as Facebook, Apple, and others collectively spent around 7.8 billion dollars on GDPR compliance.
Why US companies had to spend 7x their EU counterparts?
It’s because, unlike the EU (EU had the 1995 Data Protection Directive), they didn’t have a data privacy regulation in place. Thus in comparison, EU companies had a smoother transition. However, in the EU, after all this spending, only 50% of businesses will be GDPR compliant. But 4 in 5 companies are working towards compliance. That is a great sign.
GDPR Continues to Face Roadblocks
GDPR undoubtedly has given consumers greater control over their personal information. It has also tightened the screws on how businesses handle consumer data. However, it’s not free from hassles.
Roadblock 1: ‘We have updated our Privacy Policy..’
Since GDPR came into effect on 25 May 2018, consumers have been bombarded with ‘Privacy Policy Update’ emails. And a key component of each of these emails is the request for consent. The problem is nobody reads these emails. A week after the rollout of GDPR, Quora, like all companies, sent out an updated privacy policy email to its users. The last line read, “your continued use of the service will be considered acceptance of our updated terms”.
Though that particular email didn’t request any consent, imagine the consequence if it had. It would mean a user will be unintentionally giving consent to share more data than he wants to. Privacy experts believe this notice and consent model will only lead to consent fatigue and hence its a process that needs to be replaced.
Roadblock 2: Understaffed Regulators
GDPR’s 72-hour deadline for reporting data breaches has panicked most companies. Companies have resorted to flooding regulators with breach reports fearing penalties. The Information Commissioner’s Office (ICO), a body similar to European Data Protection Board (EDPB) in the UK, receives around 500 calls per week associated with data breach reports.
The ICO found out one-third of the incidents being reported were breaches that didn’t need to be reported.
Most of the regulators in the EU are understaffed to deal with such huge influxes of complaints.
Four Learnings From GDPR Projects Implemented In Diverse Industries
GDPR directly impacts strategy development and implementation of new technological solutions for any business function in any industry. Hence learnings from GDPR compliance projects implemented across diverse industries will certainly be useful for future reference.
The following learnings are based on interviews conducted by Deloitte for its study titled: After GDPR – Lessons and consequences from the advertiser perspective.
Lesson 1: Starting early and involving all stakeholders is the key to success
Today’s marketing is predominantly data-driven. The sheer volume of data collected, various tools used and the involvement of external agencies has made marketing more complex. More complexity requires more time for compliance. So it’s best to start early is what executives of various companies suggested.
Moreover, there was great emphasis on cross-departmental efforts. Executives stressed the need for close collaboration among the marketing team, legal department, compliance department and the Data Protection Officer (DPO).
In the report, a Senior Project Manager at an e-commerce business intelligence unit states, “My techies maintained a good rapport and regular communication with the DPO to illustrate how data was technically collected and used for digital marketing campaigns”. Without collaboration, DPOs won’t be able to perform thorough assessments.
Lesson 2: The first step is taking a closer look at where you are now
Executives interviewed said a detailed analysis of the current data handling processes used in different systems is the first and most crucial step in any organization’s GDPR project. Internal data governance, processes, IT systems and contracts with external service providers- all have to be reviewed. Later a clear data flow diagram has to be created to understand how data flows in the organization. Finally, it has to be matched against the requirements of GDPR.
Lesson 3: Adopt an agile mindset when planning for implementation
Many of the interview partners said they found it difficult to decide on a project-setup for the GDPR project. The Director of Digital Transformation at an FMCG company said the lack of guidance from authorities and no available reference cases only harboured uncertainty. Hence he focussed on creating an agile team setup.
Lesson 4: Promote awareness and train your employees
All executives interviewed recognized the importance of increasing awareness among employees about the risks associated with data processing. They stressed on the need for periodic training courses and awareness programs. Some even said the real challenge is helping employees unlearn old practices and learn current best practices.
If you found this article helpful, do share it with anyone who wants to learn about GDPR’s performance so far.