Even before it comes into effect, Europe’s new GDPR data protection legislation is already having a positive impact.
GDPR is a broad set of rules that require companies to treat customers’ personal information with care, and allow organisations to be held to account if they fail to do so. Among other things, GDPR insists that personal data has to be collected for specific and legitimate purposes: it must be accurate and must be protected against unauthorised access, accidental loss, destruction or damage.
While this seems straightforward enough, compliance with GDPR can mean big changes for many companies — especially if they have not treated personal data with the respect it deserves up to now. For example, the regulations require companies to report serious data breaches within 72 hours of becoming aware of the problem. Companies that get GDPR wrong can face fines of up to four percent of turnover.
Few EU residents are aware that the regulations are coming in, and fewer understand what they are about. GDPR has brought headaches and significant costs for many companies, which have had to update their systems with very little benefit to show for it. Critics say that the regulations will stifle innovation and risk blaming the victims of cyber crime — companies that are hacked — for the behaviour of the criminals that target them. They argue that the vast EU bureaucracy is simply adding another burden that businesses don’t need, and that GDPR is simply a licence for consultants and tech companies to print money.
Some of this may be true, but the benefits of GDPR already outweigh the potential downsides.
The most visible effect of GDPR so far, for most people, may be the blizzard of emails from companies seeking permission to continue sending marketing messages. Many people I speak to are cheerfully ignoring the entreaties to opt in, and are using GDPR as an opportunity to break up with companies they can’t remember agreeing to receive email from in the first place (I received yet another passive-aggressive GDPR compliance note while writing this).
But there’s plenty more going on. Many companies have invested in new security systems to make sure that data is properly protected and only accessed by the appropriate staff. Others have checked the data they hold for accuracy and whether it’s still legitimate for them to retain it. GDPR has provided many organisations with an opportunity to revisit their systems, and perhaps even create new revenue models and business opportunities. For others it has been a last minute race against time to get ready before the deadline (if you’re still in that race, you can find a handy GDPR compliance checklist here).
GDPR has also forced the big tech companies make changes to their policies.
Apple, for example, has rolled out new tools to European customers to make it easier for them to download the data the company holds about them and the devices they use.
GDPR’s impact isn’t only being felt in Europe: some companies feel obliged to offer the same level of privacy protection to customers beyond the EU. Microsoft, for example, has said that it will extend the rights available to Europeans under the EU’s new privacy regulation to all consumers around the world.
Facebook is another tech giant that will offer the same privacy controls and settings available to Europeans under GDPR to the rest of the world (although it has also made changes so that its non-European users — previously governed by terms of service agreed with the company’s international headquarters in Ireland — won’t actually be covered by GDPR).
Apple has also promised to broaden the availability of its privacy tools.
GDPR comes into force at the right time, with privacy and data protection currently high on the political agenda thanks to a number of recent data governance scandals.
Countless leaks and hacks have exposed vast amounts of personally identifiable information with very little impact on the companies or organisations that allowed it to happen. Regulators have not had the powers to make companies up their data-protection game. Companies that suffer data breaches may see a short-term dip in their stock value, but they tend to bounce back quickly, so the markets aren’t creating a deterrent either. Until now, there has been little incentive for companies to protect customers’ personal information.
It’s still early days for GDPR, and it will develop further once in force. Whether those big fines actually materialise will depend on how seriously companies have taken their preparations and ongoing compliance. Fear of these fines motivates much of the work being done, of course, but GDPR already shows that regulation can help to tame the behaviour of the tech giants.