GDPR – How Well are We Doing so Far

Quick recap – what is the GDPR?

The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy for all individuals within the European Union and the European Economic Area. It addresses the export of personal data outside the EU and EEA and became effective on 25 May 2018.

Similar to our Protection of Personal Information Act (POPIA), the GDPR makes organisations accountable for personal data protection and governs the handling, collection, processing and storage of information that could lead to the identification of an individual.

It is one of the most complex pieces of EU legislation and understandably many small business owners are confused about privacy and data protection rules. Business owners and employees have either made mistakes or are just unaware of the regulations which could have resulted in massive fines.

The Negative
There is still a large amount of confusion and misunderstanding of how citizen’s data is used. Many countries have implemented educational and awareness programs to assist heir citizens in understanding data management rights.

EU commissioner Vera Jourova has urged government agencies to do more in ensuring that the application of GDPR in cross-border cases is not hamstrung by different rule application in different countries.

Many businesses are not aware that the following are in fact data breaches:

• Visitor books at reception where previous visitor details can be seen.
• Sponsorship or raffle forms containing names and contact details.
• Allowing staff to use their personal phones or computers allowing unencrypted data to be stored at home.
• Presentations and training materials containing details of case studies.
• Marketing material containing staff photos with visible nametags.
• Loss of paperwork and not just electronic data.

Imposing fines on corporates for personal data mismanagement has not been a success. During GDRP’s first 9 months agencies in 11 European countries imposed fines totaling €56m. Sounds impressive, but €50m of that amount was the French fine against Google. In the UK during the first 12 months 11,468 cases were opened for data breaches and only 29 resulted in a fine – that’s only a 0.25% success rate!

The cost of complying with GDPR is extremely high and therefore it does favour the large corporates (read Google and Facebook) while severely limited the competition from smaller companies trying to enter the market.

A widely reported example – in September 2018 British Airways (BA) revealed that up to 500,000 customers’ details including payment data and address information were compromised due to a hacker scam involving diversion to a fake website. BA admitted the breach, but claimed that the UK’s Information Commissioner’s Office (who imposed a £183m fine) could not prove it was the airline’s fault and would therefore not be able to calculate a fine amount. In early October 2019 the High Court granted an order allowing for group litigation to begin for compensation from the airline.

The Positive
The Chief Privacy Officer from Mastercard stated that some companies had already done the data mapping exercise therefore knew exactly what data they had and where it was kept. When you know what data you have you will know what is up to date and therefore comply with the law with the upside of also being more prepared to take the opportunity risks that arise.
The number of data breach notifications and complaints has increased dramatically since GDPR came into effect. The sheer amount of information that this provides is invaluable to regulators in understanding the root causes.

Citizens now have more understanding of their rights to camera surveillance, unsolicited marketing communications and the right to be forgotten.
GDPR has affected marketing in a number of ways with the three key areas being:

• Access of data – individuals now have more control over the usage of their data including the right to be forgotten. This can be managed with a simple unsubscribe link in email marketing that allows an individual to manage communication preferences.
• Permission – a default opt-in web form is not compliant as visitors need to specifically select (e.g. a tick box) a communication preference. In addition, if someone has opted-out of receiving marketing emails further communication is not allowed.
• Type of data – only collect the data that is needed. Avoid collecting data that is not necessary unless it can be legally justified.

With all the restrictions you may think negatively of the risk associated with your marketing plan, however the opportunity for targeted marketing campaigns has never been better. Compliance to GDPR has essentially forced all the right behaviours for ensuring that we engage with people who are interested in our product or service offering. We will have the permission, the correct data and correct storage protocol so instead of a (now non-compliant) default opt-in we can gain valuable insight into what information each individual is interested in.
So how well are we doing?

Difficult to say at the moment, but with the noble intention of GDPR, the threat of some hefty fines and the benefit to individual data privacy I would lean towards cautious optimism.
With thanks to the European Commission, Moneyweek and Euronews for information contained in this article.

Author – Warrick Asher