GDPR is Two Years Old. Here’s How It’s Working and What the US Can Learn from It
This week marked the two-year anniversary of the General Data Protection Regulation, Europe’s major privacy law. GDPR was the first major European effort to put some legal and regulatory power behind demands for less free-wheeling data collection and selling.
The legislation sent an unprecedented signal that any company collecting vast amounts of consumer data would need to take getting consent for that information seriously. It even caused multiple tech firms to shutter their European operations.
But for consumers, day-to-day collection and use of their data may not appear all that different besides some extra online notices asking for consent. What’s more, the legislation has affected small players while the big firms such as Google, Facebook, and Amazon continue to run the table.
To gauge just how GDPR is working out and what regulators might do to move the ball forward on privacy, Street Fight got in touch with Russell Sutton, SVP of data, EMEA, at MightyHive.
What were the main objectives of GDPR?
The GDPR aimed to standardize data protection laws across EU member countries. The standardization was key — consistency makes it far easier for organizations to comply.
It included some key principles, such as:
Transparency and lawfulness: I know what you’re doing with my data; you must be clear, open, and honest about what you’re going to do with my data; and you mustn’t use the data in a way that is detrimental to me.
Purpose limitation: You have to tell me what you’re going to do with my data and can only use my data for the reasons that I consent to.
Security and accountability: You must secure my data, and there is clarity around who is accountable/responsible for my data.
Huge fines if you don’t comply: A lot of regulations to make sure the law has bite!
These legal points are key. In practice, though, I think of it like the end of the wild west. There had been a rapid expansion in the collection of personal data (due to the internet) with few rules and laws. Bad habits formed that weren’t in the best interests of citizens or firms. For example, many brands stored data indefinitely because storage (computing) is cheap and it was expensive to delete that data (time had to be taken to define what data should be deleted and what data was no longer of use).
The GDPR stamped order onto the wild west, tipping the balance and giving control of my data back to me. It also gave organizations clear, if not tough, instructions on how to be a custodian of my data. These were both great aspects of it.
Notice this is about me and my data. GDPR framed personal data as exactly that — my data, about me, where I have a say in how and when my data is used and shared. This, for me, was the biggest change.
In what ways has the legislation been successful?
Before, data was a “wild west.” There were no real rules and everyone was making up the rules as they went along. For example, clients had few processes around the retention of data, storage was cheap and deletion expensive. The buildup to GDPR changed that — everyone had to mature from the wild west into a rules-based order.
Now, the culture in Europe has changed. Firsthand conversations with brands show me that people really are thinking “privacy first.” Privacy has been hardwired into processes and tech stacks (for clients at least). They’re not just paying lip service, they’re actively factoring privacy into their plans. There are clear audit trails of where the data ‘lives’ and who has access to it. This is no small achievement. Is it perfect? Nope. But citizens have clear rights, as they should.
In what ways has GDPR failed to produce the desired regulatory results?
There is still confusion as to ‘where the privacy line is drawn.’ There is a lack of clarity regarding boundaries of execution (what you’re allowed to do versus what’s not legal), which results in a worse experience for users because of these shortcomings. We see this every day in the industry, and it’s a sizable issue.
GDPR is a force for good and now implemented, it gives a level playing field for brands. If this unravels, the path toward good data privacy will be much more difficult. Unless EU nation states are seen to actively enforce GDPR regulations, standards will slip and big tech companies will continue to push the boundaries of what is acceptable.
It’s been reported practically since the law’s implementation that it actually harmed mid-market players more than Big Tech companies because the former lacked the lobbying power and workforce to sidestep the most critical aspects of the legislation. Is that how GDPR worked out in your view?
I’m not familiar with how Big Tech companies lobbied or sidestepped the most critical aspects of the legislation. However, what I did see is that:
A small or mid-market player relatively found the cost of implementation more expensive. They had to assign about two people out of a workforce of 200 to implement GDPR. A large firm of 10,000 people could assign about 20 people to implement it. This meant small- and mid-market players had a relatively higher cost.
I’ve also seen large tech companies with dedicated in-house legal staff coupled with in-house data specialists being more confident or bullish. Their teams have time and resources to clearly understand where the boundaries lie in understanding the lawfulness of a particular use case of data. Mid-market players have sometimes had to be more cautious as they don’t have the resources to make those informed decisions.
The bigger problem I worry about is the data haves and the have-nots. I fear that a side effect of GDPR is that control of data has been consolidated around the big three of Facebook, Google, and Amazon. I’m more likely to provide consent to sites that I use regularly because perhaps I trust them with my data, or I perceive more value in the value exchange. Or perhaps they’re just really good at building that trust with me. I’m far less likely to feel confident about sharing my data with a site I visit for the first time with a brand that I don’t know. Or perhaps there is just no perceived value to me in consenting to share my data. This leads us to a place where more data is consolidated in the hands of Big Tech and smaller firms.
Could GDPR simply be enforced better? Or is new legislation needed?
GDPR is at a critical point where we need to see enforcement or the hard work taken to get to this stage will be undone. But, fines are not the only way to pursue enforcement. The UK ICO has taken a collaborative approach with brands, helping them to navigate and improve data privacy with prods and warnings to get their house in order before fines are applied. Some carrot with the stick is a good approach.
What should US privacy advocates and politicians learn from GDPR as they consider national privacy legislation here?
These are my three big takeaways, and in my opinion they are far more important than the specific laws themselves.
Consistency: There was a cost for leaving the (pre-GDPR) wild west so we could enter a rules-based order for how personal data is governed. In my opinion that was a price well worth paying as it gives citizens more control over their data and business leaders confidence that the rules have been set. Further changes or fluctuations in those rules will cause unnecessary cost and disruption, especially to small and mid-market players. Legislators have one shot at getting this right and therefore need to think hard about how the rules will work in the years ahead.
Standardization: GDPR means data protection rules are standardized across the EU. Having the same rules in Germany as in Italy makes it far easier for brands to comply with both the spirit and the letter of the law across all EU countries. In a world where data is easily portable this is key. This was a big learning for me and it’s clear that standardization is a big benefit for businesses that offsets the costs of compliance. I hope legislators will understand the benefits of standardization and make this a key pillar of their plans.
Clarity: Clarity in the changes is key as it allows organizations to make the changes necessary to comply and empowers citizens to understand their rights. GDPR was broad, far-reaching, and bold in the changes it required, meaning that this clarity was often lost in the scale of the transformation. I’d hope that legislators are clear on the principles behind their privacy legislation as well as the laws themselves.
Correction: A previous version of this article stated that GDPR was one year old. It was implemented May 25, 2018, not 2019.