Since GDPR came into force on 25th May 2018, it has fundamentally altered the global privacy landscape: over half of global GDP now falls under GDPR-like standards. However, there is still much work to do, with the last year seeing a patchwork of successes and failures as businesses of all sizes scrambled to address the most extensive data law ever put into force. One year on, it begs the question: how much longer do we have to wait until the privacy promise of GDPR becomes a reality?
Consumers and businesses are waking up to privacy
There is no doubt that, in terms of awareness, GDPR has already had a positive impact with consumers’ understanding of privacy issues at a record high. After GDPR came into effect, Europe saw a record number of complaints about how personal data is being handled. The UK led the way, with the Information Commissioner’s Office (ICO) reporting a 260 per cent increase in complaints in the period immediately following the 25th May, totalling 37,798 over the last year. The Irish DPC recorded 6,000 complaints in the same period.
Privacy is also increasingly becoming a board-level issue for businesses - earlier this month Google rolled out several new privacy-focused products, with its CEO stating that ‘privacy should not be a luxury good’. For those falling behind, regulators such as the FTC are demonstrating their commitment to executive oversight by demanding the creation of board-level committees dedicated solely to privacy. The introduction of Data Protection Officers as required by GDPR is certainly placing a healthy tension in the decision making of data-driven businesses, however like many of the tangible results of the new law, their impact on the privacy promise remains to be widely acknowledged.
Implementation difficulties are undermining confidence in GDPR
More apparent is the reality that both businesses and consumers are still suffering from the short-term difficulties of implementing GDPR. A year after the implementation of GDPR, European enterprises view data protection and privacy as the most challenging area of regulation for their
In particular, companies are struggling with data integration and compliance. As the number of complaints, deletion and suppression requests rises it’s become clear that the way user data is stored and the cost of building compliance infrastructure is preventing businesses from fully complying with GDPR because of the way data is siloed in a business and the expense of creating the infrastructure required for compliance. Solving this engineering challenge requires a holistic approach to customer data architectures and digital identity that can connect these silos and make user data suppression and deletion requests easier to enact. Even in the most hybrid data architectures, that have credentials and PII spanning mainframes, legacy apps on premise and SaaS apps served from multiple jurisdictions will benefit from the introduction of a horizontal platform approach, providing a connective layer that can be exposed via data dashboards to enable customers to self-serve their own data management.
The vastly more common experience for consumers is frustration at feeling the knock-on effect as some businesses struggle to comply. In some instances, it’s clear that in the first 12 months of introduction, GDPR embodies the law of unintended consequences. For consumers, rather than experiencing a new era of data transparency, the most noticeable impact of the new regulation has been a significant worsening in their internet experience. Because of the way advertisers and publishers have approached the cookie management issue, the “opt-in”, “opt-out” process that users must pass through to read any content is more of a hindrance than a way to empower and educate users, and is often delivered in such a clunky fashion that it seems designed to confuse and catch people out. Even worse, some websites still remain inaccessible to EU users a year on from GDPR like the Chicago Tribune, the eighth-largest newspaper in the US. It remains to be seen if this sticking plaster approach to compliance will work longer term, but it’s clear there’s still a long way to go before GDPR truly fulfils its primary goal of putting users back in control of their personal data.
We can’t wait for regulators to force our hand
As the UK’s information commissioner, Elizabeth Denham, recently pointed out, the GDPR is at a critical stage and the next phase of change is not assured. While countries such as Brazil, India, and Japan have adopted GDPR-inspired privacy standards, other efforts, most notably those in the US, are floundering - only last month a much-anticipated privacy bill introduced in Washington failed to pass due to legislative gridlock.
The prospect of a wave of enforcement actions related to data privacy breaches attests to the fragility of the current landscape. The US FTC, the UK ICO and Irish DPC have all recently announced impending action ahead of the near-completion of several major data privacy probes. In ascribing a reason for the flurry of enforcement action, Denham said the GDPR was supposed to enshrine in law a responsibility on data-handling businesses to understand and mitigate risk they create when handling data. However, her comments made clear that this change is not yet evident in practice, saying: “I don’t see it in the breaches reported to the ICO. I don’t see it in the cases we investigate, or in the audits we carry out.”
This highlights a fundamental aspect of GDPR, which is often lost in discussions about fines. A privacy-first approach cannot be forced upon companies by regulators and legislators. In the same way, that environmental regulations led to cleaner air but also permitted acceptable levels of pollution, privacy regulations won’t eliminate profiling, abuses or mass data collection. To achieve this, consumers must let companies know that this behaviour is not acceptable by voting with their feet (or thumbs). The power to change the privacy paradigm, permanently and fundamentally, in the image that GDPR envisaged rests in the hands of consumers who use their technology (or choose not to). Certainly the introduction of consent as an ongoing requirement for continued engagement with personal data beyond legitimate use has a long life ahead and those enterprises that embrace the concept of an exchange of value with their customers will see this pay dividends with customers feeling confident to share more of their data rather than leave services that do not respect privacy.
Consumer ownership of data is the future
One thing that GDPR has made clear is that the old model, where users were harvested for as much data as possible and given only the bare minimum of control and visibility, is no longer acceptable to users. Consumer ownership of data is the dream and GDPR is just the first significant step towards making it a reality despite the current difficulties. We are seeing a rising tide of data regulations globally, all aimed at putting users back in control. Meanwhile, initiatives in Financial Services such as Open Banking are laying the groundwork for a future where consumers are able to control and manage their data so that it can be used to benefit the individual, not just the business who collects it. This approach will eventually become the norm across industries - the UK’s move towards a Pensions Dashboard is another example - and those companies that are able to adapt effectively and deliver the trust and convenience that consumers want will have a major competitive advantage.
Nick Caley, Vice President - Financial Services and Regulatory, ForgeRock
Image Credit: Visualsoft