After one year of GDPR Has The Privacy Promise Become Reality? By Nick Caley

By Nick Caley, Financial Services and Regulatory, Vice President, ForgeRock

Since it was enacted on 25 May 2018, GDPR has emerged as the de facto international standard on privacy: over half of global GDP now falls under GDPR-like standards. However, there is still much work to do, with the last year seeing a patchwork of successes and failures.

So 12 months on, has the privacy promise of GDPR become a reality?

Consumers and businesses are waking up to privacy

In terms of public awareness, GDPR has already had a major impact. Consumers’ are now much more aware of privacy issues and the rights they can exercise when it comes to their data. In the months after GDPR took effect, Europe saw a record number of complaints about how personal data is being handled. The Irish Data Protection Commission (DPC) recorded 6,000 complaints in the year since 25 May, and a 56% increase in 2018 (post-GDPR) compared to 2017 (pre-GDPR).

Privacy is also increasingly becoming a board-level business issue. Earlier this month Google’s CEO stated that ‘privacy should not be a luxury good’ after unveiling several privacy-focused products. The introduction of Data Protection Officers under GDPR is also placing a healthy tension in the decision making of data-driven businesses. However, like many of the tangible results of the new law, their impact remains largely unknown.

Implementation difficulties are undermining confidence in GDPR

More apparent is the reality that both businesses and consumers are still suffering from the short-term difficulties of implementing GDPR. Today, a year after GDPR came into force, European business leaders view data protection as the most challenging area of regulation. In particular, companies are struggling with data integration and compliance. Siloed data and the prohibitive challenges of building customer data architecture are preventing businesses from fully implementing GDPR.

For consumers, the most common reaction is likely to be frustration at the knock-on effects of businesses’ compliance struggles. In many ways, GDPR embodies the law of unintended consequences for consumers who, rather than experiencing a new era of data transparency, are far more likely to experience a significant worsening in their internet experience. Because of the way advertisers and publishers have approached the cookie management issue, the ‘opt-in’, ‘opt-out’ process that confronts users when they visit almost any webpage is more of a hindrance than a way to empower and educate users and is often seems designed to confuse and catch people out.

We can’t wait for regulators to force our hand

The GDPR is at a critical stage and where we go from here is far from certain. While many countries have adopted GDPR-inspired privacy standards, other efforts, most notably those in the US, are floundering.

The prospect of a wave of enforcement actions related to data privacy breaches attests to the fragility of the current landscape. The FTC, the ICO and DPC have all recently announced impending action. The DPC alone has 51 large-scale ongoing investigations including 19 involving tech companies like Facebook, Twitter, and LinkedIn, many of which are “significantly advanced” according to Helen Dixon, the head of the DPC. The impending wave of enforcement action hasn’t stopped the DPC from probing new areas of interest either – it recently announced its first major investigation into Google’s ad business.

However, Dixon’s UK counterpart, information commissioner Elizabeth Denham recently said that while the GDPR was supposed to enshrine in law a responsibility on data-handling businesses to protect customer data, she made clear that this change is not yet evident in practice.

This highlights a fundamental aspect of GDPR, which is often lost in discussions about fines. A privacy-first approach is not something that regulators can truly impose upon companies. It will only be achieved if consumers let companies know that this behaviour is not acceptable by voting with their feet (or thumbs). The power to change the privacy paradigm, permanently and fundamentally, in the image that GDPR envisaged rests in the hands of consumers who use their technology (or choose not to). Certainly, those enterprises that embrace the concept of an exchange of value with their customers will see this pay dividend as users will engage more freely and confidently.

Consumer ownership of data is the future

While there is still much work to do, one year into GDPR it is already clear that the old model, where user data was harvested extensively and consumers were given only the bare minimum of control and visibility, is no longer acceptable. Consumer ownership of data is where the future lies and GDPR is just the first significant step towards making it a reality. This approach will eventually become the norm across industries and those companies that are able to adapt effectively and deliver the trust and convenience that consumers want will have a major advantage.

You can read more articles about the GDPR here.

If you would like to have your company featured in the Irish Tech News Business Showcase, get in contact with us at Simon@IrishTechNews.ie or on Twitter: @SimonCocking