19 June 2018
GDPR nearly a month on: How has it affected you?
The General Data Protection Regulation (GDPR) is here to stay and leavea organisations with a mix of new challenges and opportunities. It represents the most extensive overhaul of the European Union (EU) data protection legislation in the last 20 years. A legal game-changer, the GDPR is geared towards giving the right of ownership of data back to European citizens and enforcing stricter rules for storing, distributing, and manipulating information.
Therefore, it offers data subjects a more robust protection and provides clearer guidelines to organisations managing their data. But, the key question is what has really changed since it rolled in on May 25th?
Everything has changed
With the enactment of GDPR, organisations in the EU have to worry about more than just damage to the public image and mild resource strain. The penalties for non-compliance mandated by the regulation are steep – up to 4% of the organisation annual revenue or €20 million, whichever is higher. To avoid this financial blow, businesses are tasked with bringing their data protection policies in line with the regulation and the deadline is set— the end of 2018.
However, do these ramifications necessarily bring forth a safer cyber environment for everyone? The incentives to adapt fully to the rules of the game have certainly never been higher. Then again, the security stakes of major data breaches were always high: consumer trust, strategic information, monetary assets, and intellectual property (IP).
The difference today is that the days of various legal interpretations of EU Data Protection Directive are over. In their place, we have a standardized, Pan-European framework that leaves little to no room for guesswork: any customer data breach must be reported within 72 hours. This improvement should bring forth the promise foretold by authorities: significant benefits for EU data subjects and their online security.
The pace of enforcement
GDPR gives us an opportunity to rethink data security, but we have to observe whether the practices and policies in the business landscape have changed. Well, organisations have one more year until the Regulation applies, although a period of “lenient enforcement” will last two years. This less-than-rigid timetable has produced a lack of immediate transition and suggests that most businesses across the EU will struggle with or forgo compliance for months to come.
And we can already see the proof. In a statement on ePrivacy Regulation, EU authorities declared that most enterprises (82%) still don’t have any data-breach notification plan. In addition, one-quarter of all businesses within the EU will not be able to match aforementioned notification windows and warn customers or governing bodies that the breach has occurred.
Finally, the same official document classifies notorious “cookie walls” as incompatible with the new regulation. This is to say that practice of storing cookies and using other tracking technologies without a “freely-given consent” is to be explicitly banned.
Users feeling the ripples
But, what could really stage a triumph for online security and prompt organisations to step up their data protection practices are complaints from data subjects themselves. Under the new legislation, cases of lodging complaints with the DPA warrant an official investigation and potentially red-flag businesses for GDPR non-compliance. And within hours of legislation taking effect, complaints were filed against Facebook, Google, Instagram, and WhatsApp.
This gives confidence that we might see widespread adoption sooner rather than later.
Still not in the clear
The new regulation unequivocally introduces rigid regulations and tougher fines. Affected are organisations using or processing personal data of EU residents, as well as data subjects themselves. So, does the GPR bring these parties closer together in a battle against evolving online threats?
The answer is not cut and dried, but steps have been made in the right direction. EU officials have announced organizations will have to reduce the risk of data breaches and do away with the old practices such as ‘’cookie walls”. In more than one way, business entities are propelled to bolster online security credentials and keep users’ data safe. Will it be enough? The next few months are sure to provide us with a much clearer answer.