GDPR - one year laterThe GDPR Focus on Digital Business Big and Small
One year ago, GDPR loomed on the horizon. No one seemed certain how it would affect the EU, nor the EU-related foreign businesses. What seemed to preoccupy everyone the most was whether or not they would be ready to implement the regulation in time.
Deadlines, Scandals and Consequences
For many not directly employed by the soon to be affected companies, the lead up to May 25th, 2018 was marked by an increase in e-mail traffic. Various businesses and service providers were scrambling to ask their customers and users to update their data and provide consent. They were also spamming a lot of inboxes in the process.
In a speech made to the European Parliament in early 2018, Mark Zuckerberg stated that Facebook would be ready to implement GDPR by the May 25 deadline. This came on the heels of the Cambridge Analytica Scandal and Facebook's £500,000 fine.
CA was famously involved in the 2016 US elections but also used UK and EU citizens' personal data, acquired from Facebook, for Vote Leave and BeLeave campaigns during the Brexit Referendum. The data breach did, however, have a positive effect.
In 2017, British consumers seemed overwhelmingly uninterested in exercising their upcoming privacy protections. However, post-CA an SAS poll showed that 72% of polled people had already changed their data permissions ahead of May 25th and were planning on sharing less data in the future.
SUBJECT TO INTERPRETATION
GDPR's success with Google, however, has been less than impressive so far. Google interpreted GDPR very strictly without notifying the publishers which used it as a platform, which seriously affected the entire digital ads sphere.
Also, the sheer number of active users provides it with a significant advantage over its competitors and allows it to adapt its GDPR strategy without significant repercussions.
Of note is the effect GDPR has had on digital services, including mobile banking, streaming services, and tech companies, all of which proved extremely agile when it came to GDPR compliance. It is because all of the mentioned services recognized the opportunities to build customer loyalty, which is along with trust, one of the most important things.
US Refuses to Play
Meanwhile, US companies that processed EU citizens’ data decided to deal with GDPR by simply prohibiting access to their services to European users.
Some services then attempted to offer premium subscription in return for no ads and no data tracking or a free subscription but with consent to be tracked. UK's ICO had something to say about this practice, reprimanding the Washington Post. However, the reprimand was not followed by any sterner measures and, as such, probably will not dissuade further instances of such practice.
Apple's CEO Tim Cook has recently voiced his support for GDPR and said that the rest of the world should implement similar regulation. While Cook didn't specify the catalysts behind the statements, he was nodding towards recent events such as the Cambridge Analytica Scandal. Now he has been joined by Cisco in calling for data laws to be embraced by the US as they have been in Europe.
At a privacy conference in Brussels, he stated that "Platforms and algorithms that promised to improve our lives can actually magnify our worst human tendencies". (CNBC)
All About the Fines
What about the fines? The summer of 2018 saw a Portuguese hospital fined €400,000 for GDPR violations: granting social workers access to patients' clinical data and providing doctor-level access to over 900 users while having less than 300 physicians on staff. The case is notable not only for being one of the first publicly announced fines but also for the figure.
Since the maximum fine under GDPR is €20 million, it seems regulators were willing to make a measured response. This can be compared to Uber, which received a £385,000 fine for failing to protect customer data during a cyber attack.
While the attack predated GDPR and the fine was made under the Data Protection Act, it is inevitable that a full GDPR-level fine will occur in the near future, perhaps as early as 2019. One thing is for sure: no business or service, no matter how big or small, whether government-owned, publicly traded or a private enterprise, is beyond the regulation enforcers' scrutiny and can be subject to steep fines. Which, after all, is one of GDPR's main aims.