The Impact of GDPR One Year Later: The Good, The Bad, and The Future
May 25, 2019 is the first anniversary of the implementation of the EU’s General Data Protection Regulation (GDPR). The impact of GDPR was felt across the world – since its introduction, privacy laws have continued to expand both domestically and internationally. As we reflect on the past year of data privacy and security legislation, we also examine the impact GDPR has had on the world.
The global reach of GDPR
Due to GDPR’s requirements, organizations in countries outside the EU are taking efforts to ensure they meet the regulation’s standards; GDPR compliance is mandatory for any organization collecting the personal data of people located in the EU, even if they aren’t doing business there. It doesn’t matter where the data is sent, stored, or managed – GDPR requires that information must be safeguarded. The goal of the regulation is to provide increased control and improved transparency for consumers’ personal data.
Two key components of GDPR – noncompliance and notification – are the forces behind establishing control over personal data.
- Noncompliance – Any organization that fails to comply with the regulation is subject to administrative fines of up to €20 million or up to 4% of total global annual sales revenue, whichever is greater.
- Notification – After detecting a breach, organizations are required to send notifications “without undue delay” no later than 72 hours post-awareness.
These components have given organizations across industries around the world the framework for developing stronger security and privacy policies and procedures, demonstrating the impact of GDPR.
Increased transparency for consumers
Thanks to GDPR, consumers are now more aware of their rights, enabling them to take more active roles in the management of their personal data. Empowering customers with knowledge of how their data is being managed and giving them the ability to consent to how much information a business can record builds trust and transparency.
Fewer data breaches for GDPR-compliant companies
With data breaches continuing to expose millions of people’s sensitive data every year, it’s natural that businesses and customers are concerned. When the security of personally identifiable information, personal health information, and other sensitive data is at stake, it’s essential to know how to keep this information safe with the proper privacy and security measures.
Research shows that organizations with greater privacy maturity experienced fewer breaches in 2018. Being privacy-mature is very closely correlated with being GDPR compliant. Only 39% of GDPR-ready companies that experienced breaches incurred losses of more than $500,000, according to Cisco’s 2018 Privacy Maturity Benchmark Study. In comparison, 74% of privacy-immature (not GDPR-ready) organizations that experienced data breaches saw losses of more than $500,000. With the average cost of a data breach reaching almost $4 million, organizations that prepare ahead of time by being GDPR-compliant can experience less breaches as well as fewer losses if there is a breach.
Over the last year, GDPR-compliant organizations have had fewer data breaches. And, if a breach did occur, less records were affected, and system downtimes were shorter, leading to reduced total costs for a data breach for GDPR-ready businesses. Non-GDPR-ready organizations saw higher costs for breaches due to the larger number of records impacted and longer system downtimes.
The more businesses become GDPR-compliant, the more we can expect to see data breach costs go down, based on the trends we’ve seen over the last year.
GDPR acts as a fast-track for competitive advantages
When organizations invest in mitigating privacy and security challenges, they enjoy increased competitive advantages. For example, the average sales delay caused by privacy challenges was 5.4 weeks for companies that are over a year away from being GDPR ready. Businesses that were GDPR-ready only saw a sales delay of 3.9 weeks. Plus, GDPR-compliant businesses saw shorter downtimes in the event of a breach – 6.4 hours instead of 9.4 hours.
GDPR requires organizations to know where personal data of EU consumers is stored at all times. Because of this, many companies now have a better understanding of the data they store and use this information to guide their business operations.
“Organizations have a long way to go to maximize the value of their privacy investments. Our research shows that the market is set and ready for those willing to invest in data assets and privacy may be the path forward to get there.”
– Michelle Dennedy, Chief Privacy Officer, Cisco
GDPR has been a catalyst for international privacy laws
In the wake of GDPR, other countries have seen privacy law proposals reach various stages of enactment and enforcement. In the United States, California quickly followed suit with the California Consumer Privacy Act of 2018. Similarly, India’s Personal Data Protection Bill and Brazil’s General Data Protection Law (Lei Geral de Proteção de Dados (LGPD)) draw heavily upon GDPR’s provisions. Like GDPR, India and Brazil’s laws establish consent as the primary legal basis for processing data. These laws apply to companies beyond the territory if their citizens’ data is collected and authorize noncompliance fines in the millions. The United States has begun making efforts towards creating a federal privacy law in light of GDPR, holding multiple Senate and House-level hearings, but the efforts are still in the drafting and proposal stages.
Concerns have risen over GDPR complaints and law enforcement
With any new act of legislation comes the inevitable backlash, and GDPR is no exception. Many have issued complaints – according to a DLA Piper publication, there were more than 59,000 complaints of GDPR violations in Europe within eight months of enacting the law, but only 91 organizations received fines. This discrepancy leads many to wonder how effective the enforcement of the legislation is, and how the EU plans to improve the enforcement rates going forward, especially as other countries and territories develop and enact their own privacy laws.
Companies are struggling to become GDPR-ready
Many companies seem to be struggling with becoming GDPR-compliant in a timely and effective manner. Cisco’s 2019 Data Privacy Benchmark Study revealed that 59% of companies were meeting all or most of GDPR’s requirements. 29% said they expected to be GDPR ready within a year, and 9% reported it would take them more than a year to prepare. Overall, countries ranged from 42% to 76% in terms of GDPR-readiness. The United States’ level of GDPR-readiness was 57%, which isn’t as high as most European countries but is an improvement over China’s 42% or Japan’s 45%. Some of the main roadblocks on the path to GDPR-readiness are meeting data security requirements, employee training, and staying on top of ever-changing regulations. After all, GDPR is not a “set-it-and-forget-it” law – it requires continuous diligence and assessment.
Consent fatigue has become a real concern for consumers
Shortly after GDPR’s enforcement date last year, consumers were inundated with opt-in notifications from companies across the globe. Businesses were required to receive consent using opt-in language for communications, allowing cookies to track website visits, and more. Therefore, inboxes everywhere were flooded with privacy notification updates, opt-in requests, and other alerts due to GDPR requirements. While this is positive for gaining consent for collecting data, consumers are at risk of facing opt-in fatigue – most people don’t read and understand the new privacy policies. Instead, they simply check the box or click “accept,” waiving their privacy rights without a second thought.
– Matthew Lewis, head of Global Regulatory Practice, Axiom Law
GDPR is in no danger of going anywhere. Many massive, global organizations barely felt the impact of GDPR since they were already following GDPR-like policies long before the regulation was enforceable. In the United States, for example, healthcare organizations accountable for complying with HIPAA were likely to enact most of GDPR’s requirements before the law passed. However, just as many businesses in less highly regulated industries are hurting from the impact. Technology and media giants like Facebook and Google have received massive fines for failing to comply with GDPR.
In reflection, it appears as though the impact of GDPR has been positive for enabling consumers to take back control of their personal information, though not without a few snags along the way. Over the next year, it should come as no surprise when other countries enact legislation that closely reflects GDPR’s key components, hopefully adopting the most effective aspects and improving upon the more problematic elements.