Happy 2nd Anniversary GDPR!
25 May 2020 marks the 2nd anniversary of GDPR (time flies fast), the cornerstone legislation that changed the way people and businesses think of personal data. It is also the legislation that paved the way to other privacy-minded legislations around the world. For example, enforcement of the California Consumer Privacy Act (CCPA) commences on July 1 of this year. Also, in India, the Personal Data Bill still awaits approval by their Parliament.
One of the most impressive aspects of GDPR are the imposed fines for violating its requirements. Up until May 2020, a total of 237 fines amounting to € 467,569,168 have been charged. Is it too much or too little? And do fines force companies to be more privacy friendly? Moreover, have individuals learned increased respect for their personal data?
What We Asked The Experts
With these thoughts in mind, we turned to privacy and security professionals to hear their opinion on the matter. We asked them the following questions:
- What do you think have been the major benefits of implementing GDPR?
- On the flip side, what is the major drawback of GDPR? And finally, what is the biggest challenge organizations and individuals need to overcome while complying and adhering to GDPR requirements?
The following results came from this short survey.
Laureline Lemoine for EDRi
European Digital Rights (EDRi) is an association of European civil and human rights organisations. Their main purpose is to defend rights and freedoms in the digital environment. Laureline Lemoine, Policy Analyst, EDRi commented:
In the past 2 years, EDRi has witnessed the first positive impacts of the law but also its struggles. People living in the EU have been using their rights to access data, erasure, object, and withdraw consent. And moreover, to file a large number of complaints to the authorities to which data protection authorities slowly started enforcing the law by applying the first fines.
However, EDRi is concerned to see that most large tech companies and a majority of online actors have yet to adapt their behaviour to implement key requirements of GDPR. This includes modifying data processing principles and data protection by design and by default requirements. Users are still tracked online, across websites, platforms, and through their devices, often without a valid legal basis, and without awareness of such processing.
In May 2018, EDRi and our members widely and warmly welcomed the increased protections and rights enshrined in GDPR. Now, almost two years on, we call on the EU Commission, EDPB, and DPA to move forward with the enforcement and implementation of the GDPR to make these rights a reality.
Elpida Vamvaka for Homo Digitalis
Homo Digitalis is the only non-profit organization that focuses on the protection of digital rights in Greece. Their mission promotes and protects the fundamental rights and freedoms in the digital realm when the latter confronts challenges or jeopardy. Elpida Vamvaka, Chair and co-founder, has the floor saying:
The major benefit of GDPR is that implementing the regulation was the opportunity for many people to learn and understand that the right to privacy and data protection are two very important human rights. These rights are enshrined in the EU Treaties and the EU Charter of Fundamental Rights. In addition to providing this understanding, this regulation created new ways for people to protect their personal data, and by extension their privacy and other human rights.
On the other hand, GDPR is a regulation, a legislative text, so it may take some effort to be understood by people. Also, actual fines imposed under GDPR have been minuscule these past 2 years.
The Stumbling Blocks
The biggest challenge for organisations is to build a culture of trust and accountability. GDPR compliance requires cultural change and for organisations it’s not enough to update their internal policies. Organisations and businesses should recognise the benefits of being compliant. Merits include a competitive advantage that increases trust, security, customer satisfaction, strengthened employee morale, and leads to a better reputation. I see that businesses consider the cost of compliance very high. But they must understand that data breaches -in addition to fines and penalties- are hugely costly from a reputational risk perspective and place the brand and the business at a large competitive disadvantage.
At the same time, individuals should use their data wisely, learn their rights, act, and finally take control of their personal data. Personal data is above all personal, so each of us as individuals should care about protecting it.
Konstantinos Kakavoulis for the Greek National Opera and Animasyros International Film Festival
Who said that GDPR has nothing to do with art? Konstantinos Kakavoulis is the DPO of both the Greek National Opera and the Animasyros International Film Festival. He is also the co-founder and a member of Homo Digitalis. Let’s hear his opinion. He says:
The major benefit for the companies and organizations, which timely and properly implemented the new data protection scheme, is their beneficial position in the market against their rivals. This can be easily observed during the coronavirus pandemic. Major companies, which had invested in their digital transformation and privacy-friendly approaches towards the use of technology, did not face problems in adapting to the new reality.
Teleconferences and work from home procedures could be enforced from day 1 of the lockdown with no extra cost or effort. While rival companies were and may still be struggling with the challenges of teleworking and the confidentiality of communications, GDPR compliant companies can continue doing business as usual, thus strengthening their market power.
As far as the drawbacks are concerned, I would say that GDPR does not have any drawbacks at all. However, some might argue that its implementation has a serious disadvantage. It is not an easy procedure. GDPR compliance is never 100% achieved. It is an on-going process and data controllers and processors must always consider privacy implications prior to taking or enforcing a decision.
GDPR has far-reaching implications. It is not restricted by the European borders. Besides the fact that it has influenced many a regulation across the globe, it has impacted a lot of US-based companies that do business with European citizens (who doesn’t?).
Ambler T. Jackson, Attorney of Data Privacy and Protection
Ambler T. Jackson is an Attorney and Data Privacy and Protection in Washington DC and she has some very interesting insights. She says:
Achieving GDPR compliance has provided businesses with an opportunity to really distinguish themselves. These companies are seen as those that value privacy-focused solutions – keeping their customers informed about the privacy impacts related to their service or goods. They are also known to protect their customer’s personal data from loss or unauthorized use. One of the most important benefits is that the road to GDPR compliance forced companies who in the past processed data without any framework whatsoever, to begin operating inside of an acceptable framework.
This forced stubborn companies who may have not committed any resources to privacy and data protection, to at the very least, push pause and ask, what data kinds of data processing do we engage in, do our customers know that we collect their data and share it with several other companies, and how can we better inform them of the data processing that we are engaged in?
The most unfortunate drawback is the lack of resources to enforce the requirements of GDPR, especially against large corporations and technology firms. Achieving GDPR compliance is labour-intensive. It also requires expertise from many players, including attorneys, security experts, technologists, and staff who support GDPR compliance operationally. It can be an expensive undertaking. Similarly, enforcement is not inexpensive.
The lack of resources and expertise necessary to enforce major technology firms to adhere to the requirements of GDPR is a challenge for Data Protection Authorities and Regulators. Additionally, the COVID-19 pandemic provides new, significant privacy impacts. Consider the fines (e.g., British Airways and Marriott) announced last year. Here we are, a year later with a pandemic and the economic fallout, coupled with chatter that those fines may be decreased due to the economic impact of COVID-19. This perfect storm may result in GDPR being much less effective than initially thought or hoped for by many privacy advocates.
Katrina Dobieski, Cybersecurity Writer
While all our previous contributors were lawyers, our last two are professionals working within IT and cybersecurity. Katrina Dobieski is a cybersecurity writer working for Venafi, in Salt Lake City, Utah. Let’s see what she has to say:
The biggest GDPR benefit is explicit opt-in, as opposed to implicit opt-out. The fact that companies have to come straight through the front door and state their intentions not only shows good manners but organically advertises the rampancy of data collection across the internet. The “pop-up ask” builds a culture of data awareness. Notice that 8 out of 10 of your last visited websites told you that they have plans for your information.
One of the biggest challenges with GDPR is the lack of a certification process. How do you know when you’re there? You know your web surfing is safe when you see “https.” However, there is no such signal when you’ve reached GDPR compliance. In this absence, what could have been a huge selling point for GDPR that bolstered participation, now becomes a point of confusion.
Finally, centralized databases are GDPR’s main drawback. For businesses to fulfill the users’ requests to access personal data, centralized databases are being employed to facilitate the process. In my opinion, this is one of the most disconcerting parts of GDPR. It is called diversifying your portfolio. You do not keep all your diamonds in one vault, all your aircraft on one base, all your wealth in one asset. GDPR should make user-total private data more difficult to access, not less.
Ioannis Chrysakis, ICT Expert and R&D Engineer
Ioannis Chrysakis is an ICT expert and R&D engineer at FORTH-ICS in Greece and a PhD candidate at the University of Ghent, Department of Electronics and Information Systems, in Belgium. He is also a member of the CAPrice Community. He says:
I can see several benefits of implementing GDPR. However, I will start with the most generic one. GDPR establishes a legal framework for addressing consumer rights upon personal data protection. This is something that undoubtedly gives consumers a strong level of control upon data processing. This did not exist in the past. Moreover, GDPR pays special attention to better protection of children. The young may be less aware of the risks and consequences of sharing data. They are certainly less aware of their rights. Finally, the fines introduced in to legislation for any case of violation enforce the service providers to change their data protection policies. It forces them to start thinking about creating more privacy-friendly products and services.
On the other hand, GDPR is a big document with several articles that requires at some point a high-level of expertise to fully understand it. This means that on the one hand consumers are required to dedicate enough time to realise the new situation and their rights. On the other hand, service providers such as companies or organisations probably need to hire people with high expertise to redesign some of their offered services, avoiding failures with data protection that could lead to them paying huge costs in fines.
There are several technical and organisational challenges of implementing GDPR for organisations that handle personal data. Organisations are encouraged to apply a systematic approach of adapting GDPR requirements to their whole data processing workflows. Probably they need to rethink, revise, or redesign parts of some workflows to become both efficient and GDPR compliant.
Regarding individuals, they must always ensure that they are fully aware of their rights. This will help them to determine whether they can apply any of them. Or to be more selective when choosing a digital product or service. The latter means that they always have to do their research on alternative products and services which offer a higher level of privacy friendliness and GDPR compliance.
To sum-up, GDPR compliance and privacy friendliness can give to organisations/companies a competitive advantage in a market that ideally would be taken seriously by potential customers.
Gaylynn Fassler, Information Security Analyst
Finally, Gaylynn Fassler, who is an Information Security Analyst at Duke University Health Technology Solutions says:
I think a benefit of GDPR is knowing what companies are using your data for. I would love to determine upfront what a company can and can’t do with my data. One of my least favorite things is when I want to watch a webinar, but they need all of my information just to register. Then there’s just relentless spam, even though I wanted to watch the one webinar. Having to opt-in to things makes a lot more sense than opting out, which is then what I have to do in those cases. Opting-out can also carry risk. What if I really want to opt-out of something, but I get a phishing email, instead of a legitimate one? Even as a security professional, I could potentially click a bad link to prevent myself from getting spam.
I think a big drawback is that there aren’t that many people well versed in GDPR yet. Or certainly not enough people. There’s so much information that it’s hard to know if you’re doing it right or wrong. We all know data is mishandled all the time, but sometimes it’s done inadvertently. So then the question is how to handle those situations?
There are so many challenges with GDPR, it’s hard to pick one. In general, I think GDPR is a good thing because the intent behind it is to give users more control over their own information. However, I don’t think it’s as cut and dry as it appears to be. If a company mishandled your information in a way that’s not in publicized as a data breach, how can you prove it? Also, information collected for so long, by so many different entities, who really knows all the storage places of our personal data? Should a company that collected the data 5-10 years ago be punished for having it now? There are so many questions that we have to wait to see how they play out.
We, at Bora, are firm believers of the GDPR and any privacy legislation necessity. They help protect our human rights in the digital world. Despite the various challenges, old and new ones, everyone, businesses, and individuals should strive to protect our personal data. Our data is our lives. Don’t you want to protect it? Happy second anniversary GDPR!