Almost a year after the ominous GDPR regulation was passed in the EU, it’s time to look back and measure its true impact. The ambitious and incredibly strict regulation was meant to bolster privacy and security for European citizens. It also promised to deliver more control over personal data, allowing citizens to outright delete their information if desired.
Did it do that? What has changed between its rollout in May 2018 and now?
2018 Was for Compliance, 2019 Is for Enforcement
Throughout the course of 2018, things were pretty slow in regard to enforcement. It made sense, as companies needed time to get their ducks in a row. Many updated or established privacy policies and created advanced data tools to give their users more control. In that respect, GDPR definitely did push the digital landscape closer to where it needed to be.
But a lot of those changes were superficial. Organizations did the bare minimum to comply with GDPR and interpreted the regulation narrowly. Many dragged their feet before taking action at all, which is exactly why fines are now being lobbed.
Early in 2019, a German social media platform was the first to be fined for non-compliance. Now, bigger fish are starting to fry, Google included. It’s clear that 2019 is quickly becoming the year of enforcement, which will encourage many organizations to start taking GDPR requirements seriously.
We’re Starting to Feel the Effects
When it first launched, the regulation didn’t change much. It seemed like more of an annoyance as many organizations and website providers implemented annoying privacy and data security pop-ups. Every new visit to a site was met with at least one distraction asking for user consent. As annoying as it was, it was still a step in the right direction and showed that these companies at least understood what GDPR meant, even if they weren’t taking it seriously.
More importantly, the Irish Data Protection Commission (DPC) has grown in size — including more staff — which means they have more resources to devote to incoming complaints. That’s significant because many of the tech giants have their EU headquarters stationed in Ireland, including Facebook, Twitter, Microsoft, LinkedIn and even Google. Complaints that come in about these companies are being reviewed faster and taken into account, which means we’re going to start seeing a lot of the repercussions hitting hard.
Fines aside, Graham Doyle, Head of Communications at the Irish DPC, says they would much rather work with companies to get compliance right the first time. “We take a twin-pronged approach to upholding GDPR: enforcement and engaged supervision.”
Doyle goes on to explain the difference. “Engaged supervision is where we engage with organizations, consult on personal data-related legislation, and with companies regarding their new products. Basically, when we engage with organizations, we try to assist them in getting it right from the beginning.”
So it’s not necessarily about punishing everyone and everything. It’s about building more awareness of user privacy and security and incorporating that practice as a design element of new products and services. Companies that handle incredibly sensitive data are, understandably, seeing the biggest impact. The asset and wealth management industry is a great example, as many organizations within its purview struggle to comply.
What Has It Changed?
Not long after the regulation went active, many US-based sites blocked access to EU citizens altogether to avoid problems. Rather than update their sites to meet modern demands, they simply bowed out of the equation. Not only does it show a disregard for preserving privacy and security, but it shows that many organizations are unwilling to deal with the requirements and demands. It does make you wonder what will happen if and when the U.S. adopts a similar form of regulation. Over time, that list of blocked sites has continued to grow.
In addition, the use of third-party cookies across many different websites — news sites especially — decreased in the wake of GDPR. The decrease is an estimated 22 percent drop according to the Reuters Institute for the Study of Journalism.
Finally, there’s been a widespread loss of trust in supply chain partners from marketers and distributors. GDPR raised many questions in regard to liability, leaving the onus on marketers if a third party is not in compliance. While it’s great that organizations are now taking responsibility for how they handle data and privacy measures, we definitely need to see more placed on other parties involved in regular operations, including some of those exempt third parties. How or even if this will happen remains to be seen.
For now, we’ll have to continue to keep an eye on how the regulation is impacting the world at large — the change is certainly not over.