Okay Virtual Assistant, make me GDPR compliant - One year down the road -

Lilla David

Senior Digital Marketing Specialist

As we hit the one-year mark of the implementation of the GDPR, it’s time to take a deeper look into what effects the EU privacy regulations have had on the approach of businesses and the public towards data privacy, how predictions have compared, what the biggest breaches and fines have been, how big tech companies have handled the new regulation, and what we can expect going forward. 

 

From back in 2012, when the regulation was drafted, several world-renowned experts of law and business shared their predictions on the assumed effects of GDPR. One of the predictions that had the most consensus among experts was that the new regulation would create buzz and awareness around privacy and personal data protections. They couldn’t have been more right: according to Google Trends, interest in data privacy has almost doubled since 2016 based on searches, with a very high spike after May 25, 2018. We also see from studies conducted on user consent that location opt-ins across mobile systems have decreased significantly in Europe, to an all-time low of less than 5% at this point.  

The introduction of the GDPR has also changed the approach of companies, markets, and the general public towards privacy. Some say a new culture of compliance has been created since. For instance, several markets outside the EU have since subsequently been influenced by the GDPR, such as the U.S., China, India, and South-Korea, which are either drafting privacy guidelines that will soon be implemented, i.e. the California Consumer Privacy Act in the U.S, or are adjusting existing ones, heavily influenced by the guidelines of EU regulation. Meanwhile, the French DPA reported a 64% increase in complaints from individuals, in the first few months after the regulation came into force, showing a much higher consumer awareness, and organisations that work with large volumes of personal data, be it internal or customer, have also been receiving rising numbers of data subject access requests. 

With changes in attitude towards privacy and regulations, data protection has become more crucial than ever for companies. Since May 25, 2018, 64 000 data breach notifications have been initiated, most from the markets of The Netherlands, Germany and the United Kingdom, while regulators in 11 European countries have imposed a staggering total of €56 million in fines. Simultaneously, hackers have also been very active in exploiting personal data from organisations. 

The biggest personal data breach since GDPR happened at the end of 2018, when Marriott's international system suffered a ‘colossal’ attack. Hackers effectively gained access to over 300 million records of guest data, including payment and passport information. Facebook, Quora, T-mobile and British Airways have also fallen victim to hackers, exposing altogether more than 130 million personal data records. Interestingly, Marriott's personal data breach is still being investigated, and we may be able to see fines regarding the data breach only later on.

As leading tech and social media companies are an important focus of the GDPR, they have become the forerunners in taking steps towards improved data privacy, led by the stance of their global CEOs. After being hit by a record fine of €50 million issued by CNIL, Google just recently announced the opening of its global privacy engineering hub in Munich, complemented by enhancing privacy controls from Google Maps, aligned with the recent statement of Sundar Pichai, CEO of Google, saying that privacy cannot be a matter of luxury. 

While market-leaders, organisations, and EU citizens are adjusting to the new demands and opportunities of the guidelines on data privacy, there are still many long-term effects to explore. Our legal experts have outlined some bold predictions for the next five years in regard to GDPR: we believe that in five years’ time browsers themselves may be actively protecting user data, while today's password manager may eventually become an ‘identity manager’, fit to compartmentalise user data in a secure way. We can also already see Ireland’s supervisory regime being challenged by their European peers, individual complaints and court cases. One way or another, there will be pressure to empower individual supervisory authorities and to coordinate their efforts.

All in all, we can expect some big things coming our way still, with both further adjustments to EU privacy regulations, as thousands of GDPR actions are still under discussion, and also with organisations responding to these requirements with new services.