2 years after the Introduction of GDPR
European awareness of data protection is at a steady increase, since the adoption of the General Data Protection Regulation (GDPR) in 2018.
Over the past two years, European data protection authorities have given out colossal fines to some of the toughest giants on the market that have violated GDPR regulations.
Despite the initial re-arrangements and inconveniences that most companies had to endure to ensure GDPR compliance, it turns out that not only has data protection become an important way to earn trust from customers, but it is in fact a worthy investment in terms of long-term customer satisfaction.
The Cambridge Analytica Scandal Changed the World
Most people would have blissfully ignored the elephant in the room for years to come if it wasn’t for the eye-opening Cambridge Analytica’s data misuse story, the Facebook leak of ½ billion phone numbers, or the Elasticsearch server personal data breach.
These cases and others proved that a unified and legal mechanism that could enforce digital privacy and data protection measures for both consumers and organizations was more than required.
Non-governmental organizations such as NOYB (None of Your Business) and La Quadrature du Net played an important role by preparing a strong and popular legal case for European data privacy (which is at the core of GDPR today) and by raising awareness across social media on this topic.
“There is an overwhelming societal desire for transparency on managing and the use of personal data, so the GDPR has superseded everything else”
Laybats, C. & Davies, J.
The driving element for such a unified approach was the idea that exploiting personal data is not just an issue to one or more individuals but a major threat to EU democracy.
And so, in May 2018, ahead of the rest of the world, the EU enacted GDPR, not as a mere directive but as a fully operating law, carrying a clear and strong message to its member countries: all private and public organizations shall operate only with the informed consent of their consumers. Putting consent at the center of GDPR turned law into a symbol of protection of fundamental civic rights and empowerment over personal data.
From Guiding Principles to Legally Binding
GDPR was not the first initiative of its kind. The EU Data Protection Directive has been available since 1995. These new privacy laws relied on the old directive and its basic principles, but they added new definitions and requirements concerning transparency and disclosure to reflect the changes in technology that had happened since
Because it was a normative act and not a self-executing law, the EU Data Protection Directive had a guiding role, with no coercive effect on its member states.
“Privacy is not something that I’m merely entitled to, it’s an absolute prerequisite.”
Marlon Brando, Actor
Individuals Take Back Control Over their Data
Consent is at the heart of GDPR.
The law requires that consent must be implemented as a transparent, informed, and clearly communicated agreement between consumers and any EU organization by offering individuals a genuine choice and full control over the processing of their personal data.
The once volatile and often implicit consent process has now become a clear and specific statement of what a data owner gives consent to.
Digital ecosystems in which multiple players access and share various resources now require users to approve 3 dimensions of consent: user-to-organization, user-to-user, and user-to-application.
GDPR not only educates and empowers individuals to control what sort of data they share, but it also encourages them to proactively request that their record is deleted if they feel that it’s being misappropriated.
8 Protection Principles
Consent is not the only element, it is part of the eight GDPR principles that EU individuals can invoke to protect their privacy and personal data:
- The right to access – individuals have the right to request access to their personal data and to ask how their data is used by any company. Companies must provide a copy of the personal data for free.
- The right to be forgotten – if individuals withdraw their consent from a company to use their personal data, they have the right to have their data deleted.
- The right to data portability – individuals have a right to transfer their data from one service provider to another.
- The right to be informed – individuals must be informed before their data is gathered. Consumers have to opt in for their data to be gathered, and consent must be freely given and NOT implied.
- The right to have information corrected – individuals can update their data anytime.
- The right to restrict processing – individuals can request that their data is not used for processing purposes.
- The right to object – individuals have the right to stop the processing of their data for direct marketing. Any processing must stop as soon as the request is received.
- The right to be notified – when a company has suffered a data breach which compromises an individual’s personal data, the individual shall be informed of it within 72 hours.
Consumer Awareness? Yes. Still More to be Done
A report by Eurobarometer back in June 2019, revealed that 73% of the individuals interviewed heard of at least one of the 8 rights guaranteed by the GDPR.
Interestingly enough, 65% were concerned about the right to access their own data, 61% about the right to update it, 59% about the right to object to receiving direct marketing, and 57% worried about the right to have their own data deleted.
However, the study also found that data protection remains a concern, with 62% questioning the lack of control over their personal data shared online.
We can see that, although great progress has been made in terms of crowd awareness, there is still more to be done. In particular, there are many smaller businesses that are still not prioritizing GDPR compliance as much as they legally should.
89,000 Data Leaks
People across all digital markets have started to understand their individual values and are more vigilant about the way their personal data is being used online. Complaints about unwanted marketing and promotional emails, employee privacy, access and account deletion requests, and video CCTV surveillance have started to pour in.
The European Data Protection Board on the first anniversary of GDPR’s implementation, in May 2019, disclosed that there have been more than 144,000 privacy-related complaints raised by EU citizens and over 89,000 data breaches. Out of these, 63% of these complaints have been closed and 37% were still ongoing at the time the report was issued.
The IntoTheMinds marketing agency collected information from all data protection authorities in almost each EU country. Their research uncovered that in 2018 alone, there was an 86% increase of complaints related to privacy in data protection, doubling the number of complaints per capita, with the UK guilty of the largest increase.
Google Fined for 50 million EUR
The fact that someone or any organization has the know-how, the tools, and the intent to collect and use our personal data in ways we never expect or we disagree with, has finally been acknowledged as a “pivotal privacy concern”, although has yet to be fully addressed.
Having said that, we have seen a committed effort from EU data protection authorities to implement these new privacy rules. Most EU states have adjusted their laws so that any business and legal entity that provides services to the EU, is obliged to be fully compliant with the GDPR requirements, regardless of whether the data processing takes place in the EU or not.
The EU has taken a wide range of actions against GDPR violators over the last two years, from charging hefty fines (up to 20 million EUR) to imposing a permanent or temporary ban on data processing – all of them having a serious business impact on the organizations concerned.
Protection authorities may impose fines of up to 4% of a company’s annual turnover.
Authorities take into consideration various factors before applying a fine, such as the severity, duration, and history of the infringement, the type of data involved, the corrective technical and organizational measures are taken, and so on.
So far (until the end of 2019), there have been more than 250 fines issued, varying from 100 Eur to 50 million EUR. The value of these issued fines has totaled over 400 million EUR and has involved big names such as Google (50 million EUR), Marriott International, and British Airways (litigations currently in progress).
“For the first time a European data protection authority is using the possibilities of GDPR to punish clear violations of the law”
Chairman of NOYB, Max Schrems
More recently, another technology company has been fined 150.000 EUR for similar GDPR infringements and in March 2020, the media reported that Cathay Pacific may be charged with over 500.000 EUR for not properly securing their infrastructure and causing their customer personal data to be exposed.
A quick look at the ICO’s (The UK’s Information Commissioner’s Office) agenda and coercive actions demonstrate how serious GDPR compliance has become.
Next up: Cookie Consents
The ePrivacy Regulation (ePR) is seen as an extension of GDPR and it defines how a website or application must manage EU visitors’ cookie consents. Companies need to be careful with how they handle consumers’ data but they also have to protect their consumers’ identities across all digital communications, such as in emails, chats, VoIP (Voice over IP) calls, push notifications, and more.
The ePR was initially drafted together with GDPR as a cumulative update to the old privacy directive. In fact, ePR and GDPR are updates to Article 7 and Article 8 in the EU Charter of Human Rights:
- Article 7 Respect for private and family life
- Article 8 Protection of personal data
The implementation of ePR is currently delayed due to criticism and heavy lobbying from major online media and advertising companies whose turnover relies heavily on the use of cookies. However, pro-data protection lobbyists are hopeful that ePR will soon become legally binding.
The Ripple Effect of GDPR
Fueled by the GDPR initiative and its success, similar actions have started to take shape outside the EU. In the US, the California Consumer Privacy Act (CCPA) will become effective in 2020 and it will protect data privacy rights similarly to how GDPR does.
“We all know that data is money, and for this reason, businesses have been on a data gathering binge enabled largely by the internet. All that is about to change,”
Chris Olson, CEO The Media Trust
India’s PDPA (Personal Data Protection Act of 2018) has been drafted and Brazil is working on its own version – LGPD (Lei Geral de Protecao de Dados) – which will also enter into effect in 2020. Several more countries such as Israel, Argentina, and even China are working on similar privacy laws and regulations.
We are witnessing a progressive and steady “GDPR-isation” of our laws, digital markets, and tech culture. Even major media outlets such as The New York Times are following the example of their EU counterparts and now dedicate time and resources to write extensively on privacy matters.
Security Brings Trust, Trust Leads to Profit
Companies are starting to realize more and more how important protecting personal data is to their consumers.
Thanks to the wider awareness that GDPR has uncovered, expectations have also changed. Consumers now expect a higher level of trust from businesses in order to keep them engaged.
To say that PII breaches pave the path toward bankruptcy is as accurate as it can be. A study by Baringa Partners back in 2018 found that: “In the event of a data breach, 30% of people would switch providers immediately and a further 25% would wait to see a media response or what others say and do before switching to another provider. It’s clear that the majority of customers, by and large, trust businesses with their data. But it’s also clear that businesses cannot afford to be complacent..if companies fail to shore up their data defenses, it is their brand that will take the hit” (Daniel Golding, Director at Baringa Partners).
Another significant study, conducted by Deloitte concluded that: “Consumer product executives should consider viewing data privacy and security not just as a risk management issue, but as a potential source of competitive advantage that may be a central component of brand-building and corporate reputation.”
Deloitte’s research revealed that “80% are more likely to purchase from consumer product companies that they believe protect their personal information. 70 % of consumers would be more likely to buy from a consumer product company that was verified by a third party as having the highest standards of data privacy and security.”
Leverage GDPR Compliance for Increased Consumer Trust
In order to sell online products or services, consumers first need to be able to access them first. From the very beginning of the e-commerce era, companies have used every available design and marketing strategy to discourage visitors from spending time reading privacy policies before accessing their website.
Too often online applications were designed in ways that encouraged users to give their consent without proper consideration. All sorts of techniques have been used to make users accept terms quicker: smart layout and text positioning, colorful acceptance buttons, lengthy documents written in small font, and so on. Although these techniques have been successful, the unethical aspects of these marketing tactics have been raised by consumers in privacy complaints later on.
“If you make customers unhappy in the physical world, they might each tell 6 friends. If you make customers unhappy on the Internet, they can each tell 6,000 friends.”
– Jeff Bezos, CEO Amazon
Companies are now learning that they can actually leverage GDPR in positive ways.
A transparent privacy policy showing off improved business practices and security measures re-assures customers that your brand can be trusted.
Implementing a simple but efficient consent enforcement solution that covers the full user lifecycle from account creation to deletion and hosts enriched logs that keeps a history of all user consents (policy versions accepted or rejected, timestamp, region, etc) will take care of customers’ privacy needs and built trust between the company and their consumers.
Conclusion
GDPR is not about compliance, it’s about consumer centricity.
By being fully transparent on how they use their consumers’ data and by implementing mechanisms to appropriately manage PII and prevent data breaches, companies can prove that they put their consumers first so that they can feel valued as individuals and not as mere figures anymore.
So, although GDPR compliance can be challenging at times, it leverages significant opportunities in terms of customer engagement and retention.
As trust becomes the critical exchange currency at the side of the consumer, seeking to invest in access management technologies that are designed for GDPR compliance and the opportunities it brings with, should become a top priority for companies operating in the EU and soon enough, across the digital world.