I recently read a post in which someone claimed that GDPR was probably the biggest fail of 2018.
Really? I can’t stop my hands from writing a comment here – I’ll keep it short though. Maybe.
Have you heard about GDPR?
2018 was the year of GDPR - no question. Around May 25 it was everywhere. Before that date it was all about compliance. The date came and then everyone waited to see who was going to be the first one to be called to account by the respective authorities. And then nothing happened (or at least it felt that way).
Now we’re in 2019 - and in a few months, the regulation will have been here for an entire year.
Is this good or bad? Do we have a fail here?
Everyone thinks that privacy in its abstract form is a good thing. From a consumer perspective, these regulations are incredibly important. First, technology has evolved with an unbelievable speed in recent years. Too many consumers are realizing what “data usage” actually means way too late.
Second, large corporations like Facebook or Google can make use of the enormous leverage they have on consumers. How many of us immediately accepted Google's recently updated terms and conditions without reading them? We knew we all were going to accept them anyway - nobody wants to renounce Google (chapeau to the few of you who do - you're my personal heroes).
So, if we deal with the question of whether GDPR was a fail, we have to do that from a business perspective.
What did the regulation mean for companies?
There was no choice
Regulations in the tech industry are very complicated. The dynamics in which the market develops, the speed of new start-ups and, of course, new ideas are enormous. In addition, technology has now penetrated all verticals. Even the smallest SMBs now manage sensitive data and can become the target of an attack.
So what is being done to regulate companies?
One possibility would be to let the individual European countries regulate this themselves. However, this creates silos - and none of us likes this word (unless you come from an agricultural background).
With a population of 508 million people, the European market is one of the largest in the world - as long as it is unified. Businesses - especially small businesses and start-ups - are more likely to offer their goods and services across borders if they do not have to follow specific laws for each country. This also applies to companies in the US - which can now rely on a unified data protection law when offering their services in the EU, thanks to GDPR and EU-US the Privacy Shield Framework. Imagine having to cover 27 different regulations in a foreign market! They’ve got enough trouble as it is keeping the various privacy laws among all 50 States in order.
Furthermore, it is enormously difficult for the EU to find the right level of regulation. That’s another topic – but anyway they did it - and it's a step in the right direction.
But how do companies see that?
The impact for companies
By May 25, 2018, all companies were 100% compliant.
At least almost all.
Alright, none. Maybe that’s an exaggeration. Or is it?
Basically, here you can divide it into two sides. The external “image” side, you could also call it the GDPR marketing side, and the side involving implementation of technical measures to protect the data.
Externally, many companies indicated that they were doing everything to be GDPR compliant; from sending far too many consent emails to banning European traffic from US websites. We’ve seen it all.
What used to be the 95 theses of data protection nailed to the door of GAFA a few years ago now hangs in every barber shop in the EU. And so everyone - at least to the outside - tried to be personally compliant. Wunderbar.
But what about actual privacy and data protection?
Many companies, if not most, have still NOT done everything necessary to protect the privacy of their customers. Whether it's the complex processes - or the technical countermeasures to minimize the risk of breaches. It is not easy to keep up here.
GDPR is very open for interpretation. There will be no 100% compliance. Like Article 32 which requires data controllers to 'ensure a level of security appropriate to the risk'. What does that actually mean? On what terms are security measures deemed appropriate to a given risk?
Nevertheless, the regulation is not bad. It provides the groundwork for evaluating the behavior of companies that deal with data. This becomes clear when we look at two cases from the last few months:
Recent GDPR Fines
A chat platform was compromised by hackers in September 2018. PII of 330,000 users was subsequently made publicly available.
Fine: 20,000 € (~22,900 USD)
In case you’re asking “why so little?”
- They reported the breach promptly
- They cooperated closely with the DPA
- They immediately followed the recommendations of the DPA
A Portuguese hospital had poor account management practices. There were 985 active accounts for doctors in the database and even though only 296 doctors worked in the hospital, every doctor had access to all patient records, regardless of his or her specialty.
Fine: 400,000 € (~458,000 USD)
Clearly, a lot depends on the willingness of companies to deal with the issue.
So, was GDPR a fail?
In my opinion, absolutely not. Sure – on the one hand it could have been less stressful but, on the other hand, companies should be doing more to protect our privacy. There are many other ways to solve this problem – and there might be better ways. But bear in mind: technology is one of the most difficult things to regulate, however, if it weren’t regulated at all – this would not only be bad for customers, but also for companies trying to do the right thing. When it comes to fines, there could be more transparency – but I like the idea that “good companies” will be able to avoid or minimize fines by proactively working on issues – while lazy companies have to pay for their complacency.
At the end of the day, breaches are not always avoidable.
Keeping that in mind – the protection of data is more important than ever - and will remain so. This affects not only the IP of companies - but also the data of their customers - and thus the very important relationship of trust. GDPR is only the beginning - more and more comparable regulations are coming.
What does your company do to protect data?