It’s now been half a year since GDPR came into force (officially on May 25, 2018) – so it begs the question – what has been the impact?
You may have a pretty good idea where your organization stands in regards to GDPR compliance, but sometimes it’s valuable to compare where your organization stands with other organizations. To help with this, we’ve done a little research and uncovered 4 areas where GDPR has had an impact.
For a more recent look at the impact of GDPR, check out our 1 year anniversary post:
One Year Later - Has GDPR Really Been that Big of a Deal?
1. Websites in Europe have noticeable changes as a result of GDPR
Not sure about you, but as the May 25 deadline approached, I recall my inbox being slammed with updated privacy policies – which just shows how many companies were indeed aware of the potential GDPR fines for non-compliance. Here’s what else was noticeable:
Many website load speeds are faster – take the USA Today online newspaper for exampl In the U.S., the site had an average web-page load time of 9.9 seconds after GDPR went into effect. In the U.K., France, and Germany, the average web-page load times of the European version of the USA Today were less were than 0.75 seconds.
- Faster load times are most likely due to the removal of most external third-party features such as ad servers, Google services and analytics, and social media plug-ins.
Not just website load speeds, but also third-party cookies dropped 22% on news sites in Europe. Some organizations are even deferring tracking cookies until after a user clicks to accept to the site’s terms for using their data.
2. Data protection and privacy concerns are increasing
In the United Kingdom, data protection complaints more than doubled. There were 6,281 complaints filed with the UK’s ICO (Information Commissioner’s Office) between May 25 and July 3. In comparison with the same period in 2017, there were only 2,417 complaints. The ICO did not confirm that all new cases were a result of GDPR, however, they have seen a rise in personal data breach reports from organizations and also complaints relating to data protection issues.
Regarding data breaches, a recent example occurred in August 2018. SuperDrug UK was contacted by an individual who claimed they had obtained data from 20,000 customers, wanted a ransom, and provided 386 records as proof. Within 72 hours, SuperDrug UK reported the data breach and notified customers.
Conversely, SuperDrug UK says there was no evidence of an actual data breach as claimed. Later analysis by independent IT security advisors confirmed that there were no signs of a hack on their systems – no proof of any mass data extractions from their systems. In addition, the 386 records came from data stolen from a data breach which occurred a few years prior. Still had to report this publicly, as per GDPR.
3. Not all companies are following GDPR requirements
It seems there are still people from some organizations that believe GDPR will not have an effect on their organization. “GDPR only affects companies in Europe, right?” asked one IT professional from South America recently at an IT conference.
Nope! In fact, GDPR says any company who processes data from European residents need to follow GDPR requirements.
Some companies, particularly news sites, shut out access to their websites from European visitors after May 25. Many people attempting to access the websites saw messages like “this content is not available in your area.” About a third of the 100 largest U.S. newspapers (as of August 8) were still blocking European visitors to their online websites rather than complying with GDPR.
One reason given was, “Not enough traffic...” – according to Lee Enterprises, which manages city newspapers from Arizona to Washington. According to a spokesperson, they do not intend to comply with GDPR because its sites don't draw enough EU visitors.
4. Future data protection and privacy laws are using GDPR as a model
GDPR may have inspired other agencies and regulators to tighten up and update their data privacy requirements, as reflected in two new data privacy laws recently put in place.
Brazil’s new general data privacy law (Lei Geral de Proteção de Dados Pessoais or “LGPD”) was signed into law on August 14, 2018 and follows many GDPR provisions. Companies have until 2020 to bring their data processing practices into compliance. Some similarities are:
- Carries the possibility of a large fine – up to 2% of the previous year’s global revenue
- Involves the use of personal data from individuals located in the national territory of Brazil
Brazil’s LGPD also lays out some additional requirements, such as the protection of health and the protection of credit.
California just passed one of the toughest data privacy laws in the country. The bill gives consumers five fundamental rights:
- the right to know how their information is being used
- the right to have their information deleted
- the right to prevent the sale of their personal information
- protection from retaliation for making any requests under the act
- the right to sue
The bill takes effect January 1, 2020, giving businesses some time to make the necessary process changes to ensure they’re in compliance.
So where does your organization stand in regards to GDPR requirements?
No matter where your organization is in regards to GDPR compliance, it is clear that regulations are here to stay. Is your organization prepared for future regulations which may have a GDPR-like spin to it? The better question may be – How can you truly protect data and ensure privacy, regardless of regulation requirements? What impacts to the business will have to happen in order to implement data security? Meeting strict regulations today and in the future doesn’t have to be a daunting task – Enterprise Data Protection “done the right way” may help your organization in more ways than you know.