As GDPR’s One-Year Anniversary Approaches, Where Are We Now?

The first anniversary of the European Union’s General Data Protection Regulation is upon us, but experts believe the full impact has yet to be felt.

GDPR’s privacy framework has been groundbreaking in the way it empowers consumers to control their own personal data. In the year since its debut, GDPR has brought accountability and public awareness to the importance of data protection, consumer privacy, and cybersecurity.

Although enforcement of GDPR is still ramping up, and changes are still underway at some of the biggest technology companies, questions linger over whether the way GDPR is structured puts more pressure on smaller firms than larger competitors.

Companies like Google and Facebook are able to withstand the fines that come with noncompliance, while smaller companies feel a heavier burden as they navigate the new regulations. It’s possible that real change won’t occur unless the regulations are restructured so that companies big and small feel equal pressure to adhere to them.

“Google was the first enterprise to face the largest fine to date under the new privacy law. However, for an enterprise of this size, the $57 million fine was not devastating compared to their annual earnings,” says Monique Becenti, product and channel specialist at SiteLock, a firm that provides cloud-based website security solutions.

“Enterprise companies have more advantages over smaller businesses when it comes to complying with GDPR: bigger budgets, more robust legal teams, and more access to security talent to ensure proper requirements are met and enforced,” Becenti says. “These robust resources allow massive enterprises to bounce back from a penalty quickly and easier than a small business.”

From the perspective of consumers, GDPR has had a positive impact on privacy, and it has changed the way we speak about data and consumer protections on a global scale.

“As enforcement of GDPR accelerates and the conversations around data protection gain more traction with consumers themselves, companies are thinking about the security of their operations in new ways and building systems with a ‘security-first’ mindset,” Becenti says.

New surveys are showing that officials still have a ways to go before data protections like GDPR gain traction among consumers here in the United States. A survey by the data warehouse organization Snowflake found that 43% of Americans have never heard of GDPR.

Despite that lack of awareness, Americans would still like to see more being done to protect their data privacy, and changes among the broader population over the last year are clear. Seventy-three percent said they believe more data policy and regulation is needed. Privacy legislation is under way in 10 states, and the topic is making its way into the national political conversation ahead of the 2020 election.

That interest in increased regulation comes at the same time consumers have started pulling back on the information they willingly share with companies. According to a survey by the customer engagement firm Airship, people are becoming more selective in sharing their location data. The average opt-in rate for use of location data has declined from 9.3% to 7.7% worldwide.

“I expected that implementation of GDPR would lead more organizations to create proactive data privacy and security strategies. We’re starting to see more consumers take issue with data breach disclosure practices, which I think will lead to organizations prioritizing other facets of data privacy, like website security,” Becenti says.

GDPR has set the stage for similar legislation in the U.S. In California, for example, the California Consumer Privacy Act (CCPA) will go into effect next year. Like GDPR, the CCPA puts greater restrictions on how businesses can collect and use consumer data.

“Businesses with customers in California, even if they’re not based in the state, need to adhere to the state’s laws, which benefits consumers even outside the state by creating a de-facto national guideline,” Becenti says.

One year in, it’s clear that the full impact of GDPR still hasn’t been felt. The regulation is structured in a way that puts less pressure on large companies than smaller businesses, and that’s something that regulators will have to continue sorting out. But the changes Europe’s law portends are undeniable: Privacy legislation is coming to the United States, and the data collection practices that made many Silicon Valley pioneers rich will never be quite so unbridled again.

Stephanie Miles is a senior editor at Street Fight.