GDPR – What Happened

GDPR (General Data Protection Regulation) officially came into force across the European Union on 25th May2018, with the aim of updating laws and obligations around personal data and ensuring they are fit for the digital age.

Organisations had plenty of warning and years to prepare for GDPR. However, many appeared to end up in a last-minute panic with Internet users finding that throughout May 2018, their email inboxes were crammed with messages from companies asking them to opt-in to existing email lists and provide permission for the organisations to use their data.

After the great email storm, it all seemed to very quiet. Consumers are, presumably, benefiting from having their inboxes free of unwanted mail but, when it comes to businesses, what’s happening with GDPR now?

Many organisations are still working hard to making sure their systems are up to scratch even though the initial deadline has passed. The so called ‘right to be forgotten’ and, corresponding need to remove all data references to an individual, appears to have caused the greatest problems. Copies of data can exist in many forms including data bases, backups, spreadsheets etc and finding and removing all of them can be difficult. There are also many systems where removing data can ‘break’ the database and encryption options need to be used instead, to permanently hide the data rather than delete it.

In the event of data being breached, stolen or misused and the organisation found to be non-compliant with GDPR, they now risk fines of up to four percent of global turnover. While there have been fines, none so far, come close to the maximum amount. Rather the ICO has appeared prefer to work with most minor offenders to improve.

Apart from the headline-grabbing prospect of fines, GDPR has begun to have an impact on organisations outside of Europe too, as any business which has operations within the EU or processes EU citizens data must be compliant. Despite being global powerhouses and making the rule for many years, the likes of Google and Facebook have found themselves having to take GDPR into consideration.

Google has, so far made no comment about how GDPR has affected users or revenue however, Facebook has seemingly blamed GDPR for a decline of about a million monthly active users across Europe during the last quarter. In addition to the numbers of monthly and daily active users going down, Facebook has partially blamed a slowdown in advertising revenue growth within Europe on GDPR.

The introduction of GDPR has changed how Facebook and many other organisations now have to do business. For years, businesses were able to keep data about customers on record for years, even those who hadn’t used the service for a long time. But since GDPR, these organisations had to ask users if they wanted to opt-in into services. Some users will have chosen to give their consent, while many will have withdrawn it and others may not have been able to explicitly give it as emails were lost in old in-boxes or junk mail folders.

“The opt-in environment can only have reduced business volume in the activity of direct marketing — it can’t have made it go up, it can only make it go down,” said Stewart Room, lead partner for GDPR and data protection at PwC.

“What it has done is it’s increased awareness. There was more outreach done on data protection in the months of May and June 2018 in Europe than has ever been done in the entirety of the world in the history of data protection,” said Room.

Although there is a focus on organisations like Facebook and Google which are well known for using data as a product for generating revenue, they’re far from the only ones which have been hit by GDPR. Many companies have reported a decrease of about 25 to 40 percent of their addressable market. These are customers or prospects who have not given their consent to receive marketing communication or be digitally profiled.

Some companies outside the EU (especially in the US) are still trying to decide how to tackle GDPR. A significant number are now not displaying some content to users in Europe, pointing to GDPR as the reason.

GDPR coming into force on May 25 wasn’t a one-off event — organisations need to continue to ensure they are compliant with GDPR and just assuming this is the case of forgetting about it is likely to end up with them being found to be non-compliant in the future.

And for those non-EU organisations which have opted to just ignore or abandon their European markets for now, that’s unlikely to be sustainable in the long-term: California, Brazil and Australia are just some of the regions that have introduced or are examining the introduction of new privacy legislation.

Those organisations which decide to simply shut themselves from regions with privacy legislation could therefore quickly find that they have nowhere to go.