How GDPR Changed Everything: 18 Months Later
GDPR (short for the General Data Protection Regulation) became enforceable on May 25, 2018. While legislation was completed in April 2016, many organizations were scrambling to become compliant before then.
Around the same time, data privacy was a hot topic with the controversial Cambridge Analytica going out of business in early 2018. This made data privacy in general, and GDPR in particular, one of the hottest topics in tech. There were tons of questions about how GDPR would be enforced, and what would change for businesses and consumers.
In the year and a half since GDPR became enforceable, a lot has changed and many questions have been answered. Here, we’ll look back at how GDPR came about, what it intended to change, and what it has actually changed.
How GDPR Came About
In 2012, the European Commission proposed a comprehensive reform of the European Union’s (EU’s) 1995 data protection rules. The idea was to modernize legislation to address the privacy challenges in a world with social media, analytics, and supercookies.
After about four years of rigorous processes and drafting of legislation, GDPR officially came into existence April 14, 2016. It replaced the aforementioned 1995 Data Protection Directives. Because GDPR represented such a drastic shift, businesses were given plenty of time to adjust. GDPR did not become enforceable until May 25, 2018.
Understanding the Objectives of GDPR
In essence, the GDPR modernized rules that were established in 1996, but that doesn’t tell us much. To paraphrase, the objectives of GDPR are:
- Establish rules related to “natural persons” in regard to processing and free movement of their personal data
- Protect the rights and freedoms of “natural persons” as it relates to protection of personal data
- Ensure free movement of personal data within the EU is neither restricted nor prohibited when it comes to protecting “natural persons” in regards to the processing of personal data
“Natural persons” is an important phrase here. Natural person = human being. Not a corporation or legal entity.
Who is Affected by GDPR ?
GDPR is affects almost every company in the EU or doing business in the EU. According to CSO, the following are organizations that must comply with GDPR:
- Companies physically present in the EU
- Companies that don’t reside in the EU, but process personal data of those living in the EU nations
- Companies that have more than 250 employees
- Companies who have less than 250 employees, but process data that can affect consumers’ rights and freedoms. Almost every company falls under this category.
In a nutshell, any big company (> 250 employees) and most small companies that operate in the EU need a GDPR strategy.
The Difference between Data Processors and Data Controllers
There are two classifications an organization may fall under when it comes to GDPR.
- Data Processors
- Data Controllers
A controller can be an agency, individual, public authority or organization that decides the means and purpose for processing personal data. While the processor is an individual, organization, agency, or public authority that helps the controller to process personal data.
A processor is obliged to protect, maintain personal data of individuals and how it is processed. The processor is liable if there’s any breach in the organization of data.
Processors can either be in-house (i.e. part of the controller organization)or outsourced. A controller’s duty is to ensure every contract they have with processors comply with GDPR terms.
Because different regulations apply to each, it is important to understand if your organization is a processor, controller, or both.
Personal Data and GDPR
Personal data protected by GDPR covers a wide range of information related to an identified individual in the EU including:
- Phone number
- Genetic data
- Biometric data
- IP address
- Race or ethnic data
- Political opinions
The idea behind GDPR is that EU citizens control their personal data. Currently, they are more involved in decision making regarding who uses their data and how they should be used. Because of the broad reach of the legislation, it has citizens of the web outside the EU as well.
GDPR has helped create a bit more transparency around data breaches. Organizations must inform the appropriate data protection body and affected individuals immediately when they notice any compromise of EU consumer data.
Additionally, consumers have easier access to their data thanks to GDPR. As a result, they can have a better understanding of how their data is used and processed
Organizations now have to be more careful with consumers’ data than before. They are required to inform users of how their data will be used — and provide opt-outs from mailing lists more frequently and prominently.
Individuals in the EU now can even tell organizations to delete the data they have on them. This is where the right to erasure comes into play. The right to erasure grants consumers the right to request organizations to permanently delete their data. Organizations that fail to comply with this request for erasure will be fined under GDPR legislation.
Obviously, only EU citizens are technically protected by GDPR. However, as you may notice with more prevalent cookie notifications, changes related to GDPR impact those outside the EU, too. This can be attributed to the difficulty of serving one site to the EU and another to the rest of the web. It becomes easier for organizations to simply grant many of the same benefits to all users.
Sure, GDPR only applies to EU citizens if we go by the book. However, the past 18 months have shown that different websites have changed for users outside the EU.
Some Businesses Abandoned the EU market
In some cases, firms felt GDPR would be too much to handle, this limiting their ability to run a profitable business in the EU. As a result, some businesses entirely exited the EU market. For example, Digiday reported that two U.S. advertising firms, Drawbridge and Verve, discontinued EU operations because of GDPR.
Additionally, there have been reports of larger businesses changing how they do business. Case in point, The Irish Times reported Facebook rerouted traffic to ensure 1.5 billion users wouldn’t be protected by GDPR.
Businesses Have Paid Some GDPR Fines
According to Infosecinstitute.com/, GDPR has already led to over €359,205,300 fines. Multiple firms have faced multimillion dollar fines (Google, Marriott, and British Airways). Many more have faced five- and six-figure fines as well. Here are the top 5 biggest GDPR fines so far.
Companies Have Data Protection Officers Now
In many cases, GDPR requires organizations to appoint data protection officers (DPOs). The appointment of a depends on the nature of the organization and the amount of data being processed. For example, public authorities and companies that process large scale data are required to have a DPO.
In 2016, IAPP cited a study that indicated GDPR would create demand for at least 75,000 DPOs. Exact numbers are hard to come by, but Protiviti indicates there are over 500,000 registered DPOs in 2019.
Organizations Still Struggling to Keep Up
After 18 months of GDPR, companies are still finding it hard to keep up. In some cases, business has been lost. For example, multiple organizations admitted that their forms of contacting consumers declined by 25%-40%.
Interestingly, this has led to other companies creating new lines of revenue. For example, Symantec announced support for companies struggling with GDPR in late 2018.
A Call for Comparable U.S. Legislation Begins
On the other side of the Atlantic, there has been a call for legislation comparable to GDPR. Interestingly, some of the loudest proponents of such legislation have been big tech executives. Tim Cook, Apple’s CEO, was one of them.
Last year, he called on the U.S. data protection agency to introduce a U.S .form of GDPR to help users. Additionally, early this year, Facebook CEO Mark Zuckerberg talked about privacy-focused internet. Albeit this was after Facebook was fined $5 billion (USD) for breaching privacy.
GDPR has changed a lot over the last year and a half. However, we can expect more to change in the coming years. Data privacy is a major issue. GDPR is just one example of that holding true. We can expect legislation in the U.S. to bring more changes in the future.
As an IT pro, you need to stay up to date with these changes and implement solutions. GDPR changed a lot, but it won’t be the last set of major changes in data privacy.