This week is the first anniversary of the EU’s General Data Protection Regulation (GDPR). It was touted as the largest overhaul of data privacy in the world, in more than two decades. So, has it delivered? And where are we today? Let’s take a look at five things we’ve learned since GDPR came into force.
The world didn’t end
Although we’ve seen enforcement, for all the dire warnings, the sky didn’t collapse in on us. Marketers still process personal data and customers still freely provide it. In fact, despite the effort and resources that it demands, the response has been rather optimistic and positive.
In a study by Goodway Group, 87% surveyed felt that data privacy would become even more important at their companies post-GDPR. Good data practices–as set out under the regulation–can help build new levels of engagement and loyalty with customers. According to Columbia Business School research, 75% of consumers are happy to share their data with brands they trust. Where companies have been advanced in their GDPR programs, 65% report it had a positive impact on their business.
Enforcers show their teeth (and reward good behavior)
Of course, GAFA companies were acknowledged in the industry as the primary target for GDPR. They collect and hold a lot of information about us and previous data privacy directives did not have the authority to rein them in; plus they are powerful and rich. But how about the little guys? How would data protection authorities (DPA) handle the non-GAFAs? The second thing we’ve learned is that everyone’s in the firing line, and all industries. For example, the first GDPR fine occurred in Austria where the regulator issued a €4,800 penalty to a retailer that used a surveillance camera that captured too much of the sidewalk. Portuguese regulators fined a hospital €400,000 for granting too many staff members too much access to patient records.
If your data management falls foul of GDPR, you can–and should–expect a call from a DPA. However, if you’ve made a good start on your compliance program and notify the authorities proactively when there has been a misstep, enforcers seem to be reasonable. For example, a social media company in Germany exposed the personal data of 330,000 users. Despite the size of the breach, regulators only imposed a fine of €20,000 because the company demonstrated it was making best efforts to comply.
There’s still a lot of work to be done
And, that really is good news as the third thing we’ve learned is that the majority of organizations are still not compliant. Research has showed that as little as 20% of companies in the EU, UK and US say they are fully GDPR ready with 50% saying they are only at the implementation phase. Yet, the EU reports that GDPR complaints are on the rise as people become more aware of their rights and are more comfortable with exercising them.
Data privacy has gone global
The impact of the GDPR on how people and businesses now think about how personal information should be treated, cannot be overstated. It has set the standard for what data privacy regulation and compliance will be moving forward.
Since the EU reformed data privacy, over 20 countries (and counting) followed suit including Brazil. India, Canada, and Thailand. In 2018 the State of California passed the most stringent data privacy law in the US today with the California Consumer Privacy Act, 2018 (CCPA) which takes effect January 1, 2020. Not to be outdone by California, 11 states – including Maryland, New Jersey, Washington have recently introduced similar legislation. Perhaps realizing that it’s inevitable, the Tech world led by Apple, Google and Microsoft – is calling on the USA to bring on a federal data privacy law.
That means that regardless of where your organization is based, data privacy and how to demonstrate accountability must be top of mind.
We’re into the second wave
We’ve observed that the “first wave” of GDPR-readiness involved companies doing the bare minimum to become GDPR compliant by deadline, however manual or inefficient the processes. That takes us to the fifth thing we’ve learned – smart organizations are moving to the “second wave”. This phase can be characterized as the move from privacy being a purely legal-driven exercise to one that is based on digital ethics and true information governance. It includes automating, integrating and centralizing privacy processes and adopting a “Privacy First” culture. No longer just a compliance checkbox, data privacy is being seen as a key principle that needs to embedded into all facets of the business, and the right thing to do.
Building a ‘privacy first’ culture
In this new world of data protection, adopting a ‘privacy first’ culture helps companies as setting the highest standards for data privacy is required to adapt quickly to the different regulatory environments worldwide.
GDPR placed ‘Privacy by Design’ as a core principle of the regulation. This establishes that privacy must be built into every technology system and process from the outset, rather than bolted on as an afterthought. The concept was created by Dr. Ann Cauvokan when she was Information & Privacy Commissioner for Ontario in the 1990s. If you want to know what GDPR has achieved, then look no further than her response when Forbes asked if Privacy by Design was viable for today’s business, “If you had asked me a year ago, I would have argued that Privacy by Design is not realistic for business adoption, let alone, acceptance. It will upend process, structure and policy. However, within the mandate of GDPR this is an inevitability.”
How do you become a ‘privacy first’ organization? At OpenText we’re subject to global data privacy laws too. Join us at OpenText Enterprise World in Toronto where I will be co-delivering a talk with Vice-President Global Data Privacy and Compliance on how our own company is operationalizing data privacy. We’ll be sharing the biggest challenges organizations face and how we at OpenText are tackling them.
About OpenText Enterprise World
Experience OpenText Enterprise World, the largest EIM conference globally, at the Metro Toronto Convention Centre from July 9-11, 2019.
OpenText Enterprise World is bigger and better than ever! New and updated programs focus on learning, networking, strategy insights, solution roadmaps—all infused with amazing keynote speakers. There are more interactive programs than ever before with subject matter experts covering the topics most requested by our customers.
Register now to unlock the Information Advantage.