For the protection of private liberties and information of EU citizens, The General Data Protection Regulation (GDPR) took effect on May 25, 2018 replacing the 1995 EU Data Protection Directive (DPD). With the preservation of personal data at the forefront of focus and a deterrent to breaches and mishandling of personal information, companies which solicited or were in possession of this information were required to become regulated with the goal of enhancing protection of the data they possessed and increasing the obligations of organizations which collect or possess personal data.
In theory, EU citizens could rest assured that they were protected, that they were safer and more trusting of these organizations as a regulatory body ensured their best interests were taken into consideration and their information was protected by law. But how has it fared since its implementation? What effect has it had on organizations and EU citizens alike since May 25 of last year? Has it had the desired impact or was it not as big a deal as it was initially made out to be? Let’s examine the findings.
What are the positive effects?
Besides the businesses that started to gain advantage over the implementation of the GDPR (read blog: How is GDPR abused for profit sake); actually it did come with improvements that are beneficial. The GDPR ensured eight rights of consumers were respected including granting consumers easier access to the data companies held on them, requiring companies to inform consumers about methods of data collection and requiring companies to request consent before such data is collected.
In January 2019, respect of these rights were evidenced as popular search engine company Google was fined € 50 million for not properly disclosing to users how the company collected their data for personalized advertisements. Google is comprised of a suite of applications and components which work together to give users a comprehensive experience. If you feel the ads that you see are somehow being fashioned by your search habits, they are, and companies take advantage of this information provided by Google. The fine reflects the power of the regulation and was capable of causing a wider, more profound effect on other companies taking personal information protection more seriously and taking steps to ensure it was respected.
Companies became more mindful of how they handled information and took the necessary steps to bridge the gap between the company and the consumer in terms of data sharing. This has also taken the form of transparency where companies have also been required to report when personal data has been accidentally or unlawfully disclosed. After the GDPR took effect, Data Protection Authorities in Europe reported a staggering 41,502 reports of this nature, a figure which grew at an alarming rate in previous months.
What is not improved by the GDPR?
The implementation of GDPR, actually it was a little change when looking to legislation. Most countries already adopted some rules of the GDPR, e.g. in the Netherlands a regulation ‘Meldplicht Datalekken’ (data breach reporting obligation) came into effect in 2016. We still believe the impact for most companies was less than expected. Actually, the implementation resulted in numerous annoying e-mails that requested your consent for receiving marketing e-mails or receiving information about products. Some companies forgot to look if the other 9 reasons for processing personal information applied before starting to just ask for consent. A false positive effect is that organisations and people started to use the GDPR as an excuse to end discussions and simply use it as an excuse to not give answer to a request, also if it isn’t regarding personal information at all.
As mentioned before, this implementation served to improve the relationship between companies which possessed client data and the clients which provided this data to them. However, according to a research by HubSpot, the figures indicate that the GDPR has not improved client relationships over the past year. In the EU, 28.8% of citizens reported improved interactions with companies in 2018 as opposed to the significantly lower 23.7% in 2019. The HubSpot research also shows that 25% of UK citizens reported improved interactions with companies in 2018 in comparison to 21.3% in 2019. According to a research conducted by IAPP (2019), there has also been a total of 144,000+ individual complaints on topics including numerous access requests, disclosure, employee privacy, unwanted marketing (personalized advertisements and e-mails), unfair processing and more.
Furthermore, there have also been reports of 89,000 data breach notifications within companies covered by the GDPR. In addition to not improving general consumer relationships, complaints still arise with regards to data privacy and confidentiality and a staggering number of data breaches in spite of the GDPR’s implementation.
Receiving substantial media coverage in the initial stages of its implementation, the GDPR addressed a number of personal data concerns and brought others to light. Protecting the data of EU consumers, the GDPR has set out to achieve its mandate and made companies more mindful of how they manage their customers’ data. However, customers themselves have lost the interest they initially had in the initiative according to the reports which have been made since the implementation of the GDPR. It stands to reason that this may be an indication of societal outlook on data protection and privacy with respect to the GDPR in the years to come.