2 years of GDPR: The good, the bad and the future
May 25th, 2020. Believe it or not, 2 years have passed since the new General Data Protection Regulation entered into effect. 2 years since data protection became one of the biggest challenges organizations had to (and still have to) face.
The legislation aimed to make individuals and companies alike more aware of what happens to data once it’s shared and collected, and ‘force’ them to become more responsible on how they handle said data. So simple, yet so complex, as shown by the numerous compliance burdens, technical limitations and financial costs encountered along the way.
How does the data protection landscape look like after 2 years of GDPR?
The Good
Amid all the complications of the regulation, we should not forget it managed to shed some light on privacy and individuals’ rights. We are now more familiar with our rights and we can start taking actions to protect our own data. The Cisco Consumer Privacy Survey indicated that 52% of respondents said they had more control over their personal data as a result of GDPR. The same research revealed that 59% of them felt they have a greater ability to exercise their rights regarding data.
It is well-known that an educated public is an important step towards better data management and fraud prevention. So, even though there is still room for improvement, GDPR translates into better practices and more initiatives on putting privacy at the centre of all conversations.
The 2018 – 2020 interval also saw companies paying an increased attention to cybersecurity. According to Brian Honan, CEO of BH Consulting, many organizations are using their obligations under the GDPR as a reason to ensure systems are upgraded to the latest operating systems and that the appropriate investments are given to cybersecurity controls. Cisco Data Privacy Benchmark Study 2020 pointed out that 70% of these organizations stated they receive significant business benefits from privacy, including operational efficiency, agility, and innovation.
In addition, the possibility of a substantial fine has determined organizations to update their documentation and pay more attention to how things are handled, as well as define clear procedures to follow in case of a data breach or a suspicious activity. Most importantly, these organizations have started to increase their data security budgets.
Another good aspect that is worth mentioning is that a lot of countries have followed Europe’s example and started working on GDPR-like legislation. The increasing number of authorized bodies that are willing to create individual privacy regulations points out the need and importance of such measures at a global level. It remains to be seen how they will address them and if any region/country will decide to go with its own set of rules and recommendations that might interfere or not with the existing ones.
The Bad
In their rush to become compliant, a lot of companies almost drowned in bureaucracy, and instead of clarity and transparency, they implemented excessively lengthy or technical documentation and processes. They have also intoxicated their employees and customers with GDPR updates, privacy statements and procedures. Statistics highlighted that 47% of individuals expressed notification fatigue and said they receive far too many meaningless privacy-related notifications as a result of GDPR.
Small and medium-size businesses faced more challenges in implementing GDPR requirements, as most of them lacked the financial resources and expertise to create a detailed security and privacy program. Moreover, some of them missed the start because they spent a lot of time trying to understand the regulation, while others did not believe that the legislation actually applies to them.
Last, but not least, although companies invest more in cybersecurity, they now face a bigger problem when it comes to online attacks. 66% of security professional said restricted domain data access makes it harder to investigate cybercrime.
The Future
Now that things started to settle down and compliance is closer than ever (wishful thinking 😊), organizations as well as governing bodies need to pay more attention to prevention. In the last two years we’ve also witnessed a significant growth in data breaches, so reducing the number of these incidents should be the top priority.
The current pandemic also took its toll on GDPR. On one hand, there is a discussion on relaxing GDPR rules to support the tracking and processing of individuals’ personal data in the fight against COVID-19. On the other hand, privacy’s most fervent advocates state that, on the contrary, if we are going to collect so much health-related data, it is mandatory to upgrade the commitment to privacy.
Enforcement agencies across Europe should update their GDPR agenda with talks about addressing inconsistencies in the way they manage investigations, and how they can increase cooperation.
Regardless of the challenges and unanswered questions around GDPR, it is undeniable that the legislation has brought a considerable improvement for privacy and data protection in Europe, and perhaps worldwide as well. So far, its biggest accomplishment is that it managed to raise awareness and make individuals and organizations alike become more accountable and responsible when it comes to data.
How was your experience with GDPR?