Has the landmark law helped build a culture of privacy in organizations, and have consumers become more careful about sharing their personal information?
"Relying on the government to protect your privacy is like asking a peeping tom to install your blinds" – John Perry Barlow, EFF (July 1992).
Anyone who is in the least concerned with protecting their personal information online will likely agree with Barlow's quote. Two years have passed since the implementation of the General Data Protection Regulation (GDPR), the EU data protection regulation, which aims to give individuals control over their personal data and to simplify the requirements for companies.
Are there fewer data breaches? Do companies take data protection and consent seriously? Are individuals more concerned with protecting their personal information? It is difficult to answer the question of whether the GDPR was successful because we do not know what would have been if the successful data protection regulation had still been in force.
Without a doubt, the global data protection landscape has changed with the GDPR. Legislation focused on data protection talks in capitals and boardrooms around the world. There are now more than 100 countries and states with individual data protection regulations, some of which are stricter than others, and some of them, such as Argentina, Brazil, Chile, Japan, Kenya, South Korea and California, have clearly taken the GDPR as the basis for the model their own legislation.
The growing number of regulations around the world shows both the need and willingness of governing bodies to intervene, but the growing number creates a complexity that I recently discussed in a blog post. The complexity of so many regulations likely means that companies will try to harmonize their data protection approach to meet the majority and take a defensible position if they accidentally violate one.
I'm sure companies have made sure that GDPR enforcement agencies have started to flex their muscles and impose fines or report intended fines. The first major fine of EUR 50 million (USD 54 million) was imposed on the French data protection authority CNIL in January 2019 for insufficient control, consent and transparency regarding the use of personal data for behavioral advertising.
This was obscured by a huge £ 183 million ($ 221 million) fine imposed by the British Information Commissioner & # 39; s Office (ICO) in July 2019 for lack of security against British Airways, leading to a malicious attack that affected 380,000 website transactions. In comparison, the ICO fined Facebook just £ 500,000 ($ 605,000) for the Cambridge Analytica scandal that occurred just before the GDPR was introduced and was the maximum penalty at that time.
What does the law have to do with it?
If you are a consumer in a country where data protection laws have taken a similar approach to GDPR, you are used to seeing the numerous consent dialogs that companies now need to display when collecting their personal information. The bold position of requesting consent has set the bar for future legislation by other agencies. Even if opt-out has become the chosen path, the awareness of the message, which can probably be partly attributed to the GDPR, gives the consumer at least the opportunity to make an informed decision.
A fundamental change has also taken place in product and service development, and this can probably also be partly attributed to the GDPR. At the start of a new service product, data protection by design and standard is a relatively standard approach that any team can take into account when realizing projects. Consumers now expect a trustworthy relationship with a provider, and the provider knows that this will lead to economic success in the long term.
It seems impossible to write this blog post without mentioning the current COVID-19 situation, as the numerous telecommunications apps and location mapping data are made available to the governments of telecommunications providers. While data protection may in some cases have been suspended or at least changed so that it would not be acceptable under normal circumstances, the visibility of data protection for personal data caused by both the GDPR and the Cambridge Analytica scandal has become one Worldwide review of the use of data led to solve the current pandemic. In this review, governments tracked proposals and technology companies developed new methods to ensure anonymity. There is also a general consensus that a contact tracking app must respect the user's right to privacy.
The GDPR has legitimized data protection lawyers around the world to have a voice, to address their concerns and to listen. However, the big question remains: "Have citizens become owners of their personal data?" I leave you an inspired quote from the late Steve Jobs.
"Privacy means that users know what they're signing up for, in plain text and repetitive. I think people are smart. Some people want to share more than others. Ask them." – Steve Jobs
Tony Anscombe May 25, 2020 – 11:30 a.m.