Four years ago, one of the most significant data privacy and protection reforms took place. On May 25, 2018, the GDPR regulation came into force two years after the EU agreed to it. In the four years since then, 1.6 billion euros have been collected in fines (mostly in the past year), various privacy regulations have spread across North America, Latin America, and Asia, and people and businesses have become more aware of their rights and the meaning and impact of private data.
Four years is enough time to look back and ask (and possibly answer) some critical questions about the success and the future of GDPR.
The privacy revolution
The GDPR has revolutionized the world, no doubt. From the privacy tech we use, from how companies make decisions to the types of conversations we have, the GDPR has turned many things we took for granted – upside down. But if I had to list the top three most significant achievements, they would be:
Transparency and choice – The GDPR created privacy awareness among consumers by signaling to them that they had rights to their data. All consumers, no matter how techy or privacy-savvy they were, were provided the right to know about personal data that was being collected (the right to access), knowledge of which data was being gathered, insights into how that data was being used, and the right to decide against this or erase their data from companies. (the right to erasure). New technologies have helped make these data rights accessible.
Accountability and responsibility – Companies were leveraged from a transactional player that sells and buys goods to a meaningful actor that impacts people’s lives way after leaving their brick and mortar or online premise. As such, companies were required to be accountable and show responsibility for the ways they gather, hold on to, and use personal data.
Leveling the playing field – Both companies and consumers commenced a new discussion amongst themselves and with the regulator, in which they were given tools and responsibilities for ensuring data privacy. The GDPR has given rights to consumers, enabling them more control and choice over which data companies collected and what was done with this data. This has redefined the data relationship between all players.
These changes are not to be taken lightly. Privacy, once a side topic during dinner parties after a major, newsworthy data breach or a subject deemed worthy for conspiracy theorists, has become the main event. GDPR has given consumers the tools and the muscle to become proactive and regain ownership of their private data, and businesses are both legally required and inclined by their customers to follow suit. In addition, a new profession and area of expertise have arisen; the privacy professionals and DPOs (Data Privacy Officer).
Good intentions, lack of practicalities
But looking back, the GDPR also has some drawbacks, or rather it has some important missed aspects. First is the issue of cross-border data transfer. To ensure the data privacy of EU individuals, the GDPR restricts transferring personal data outside of the EU unless adequate privacy practices are in place.
While having the right intentions, this regulation has created uncertainty for users and companies. The lack of international privacy standardization or clear guidelines as to how to transfer data has created confusion and chaos, which does not serve the users nor the companies.
An example of this is Facebook (now Meta), threatening to shut down Facebook and Instagram in Europe if they cannot process European citizens’ data on US servers. This threat follows almost a decade in court discussing these transfers and attempts to legal find solutions for the transfer.
The second confusing GDPR issue is Cookie Banners. Under the GDPR, users are required to consent to being digitally tracked with cookies and trackers. The banner has to enable users to choose which cookies they accept and cannot pre-tick the acceptance box.
However, this privacy-driven idea has not necessarily resulted in more transparency and choice, some might even argue the opposite; cookie banner fatigue and sly marketing techniques have created cookie banner blindness. Many users automatically opt-in to all cookies because it is the easiest choice or because they can’t be bothered, and they want to dive straight into the website they’re visiting. As a result, these banners can actually loosen the grip of privacy regulations and their intent, which is to give consumers more transparency and control over their data.
Finally, the GDPR has standardized Privacy Impact Assessments (PIAs). PIAs are internal processes intended to help companies identify and manage privacy risks arising from projects, processes, or systems. However, the question of how PIAs should be conducted and what to do with their findings remains a gray area for many companies.
These issues have created challenges for both consumers and companies, as the regulations have provided the technical pillars of ownership without providing more guidance and insights into the practicalities or giving tools or assistance to comply with the requirements.
A new opportunity for forward-thinking businesses
Nevertheless, the GDPR was and continues to be, to date, the most significant breakthrough in modern data privacy. It has changed the landscape worldwide, which is evident with the many regulations following in its footsteps. In addition, minimizing data collection and opening up a whole new conversation between consumers and companies has the potential to build trust and engagement like never before.
It has also created room for a new value-based internet. In this new model, digital interactions are a two-way relationship. Consumers provide their data to, in return, receive value. An example of this is Spotify’s premium plan which gives me an ad-free experience and includes music recommendations, which is valuable and helps me. Therefore the value I’m getting is greater than the cost, which is the data I provided and the associated digital risks. Consumers will only continue to “pay” with their data to companies that provide them with authentic value, and they will remove their data from companies they do not trust or derive value from. In other words, consumers are willing to take upon themselves the privacy risks when they gain quality benefits. Businesses that ensure they respect their customers when collecting data and only ask for the needed information to provide real value will thrive in this new era of data privacy.
Where do we go from here?
More GDPR enforcement could be a good thing. GDPR is not the enemy, it is an opportunity for businesses. As such, it is in our interest to make its adoption as widespread as possible. Each one of us, business owners included, are also individuals who want to be empowered with more data ownership and to be safer online. Consumers will reward responsible data collection and maintenance. A 2021 Cisco Data privacy study found that companies that invested in a better privacy experience enjoyed a 76% increase in customer trust.
Therefore, by bolstering the implementation of the GDPR, businesses are helping consumers put their trust in them and become loyal customers. (Enforcement and fines can also help those privacy professionals who might need help convincing stakeholders internally of the importance of privacy). After all, privacy awareness and global regulations will only continue to grow. Businesses that strongly adhere to GDPR will reap the benefits. Businesses that don’t implement smarter data collection and minimization efforts put themselves at business risk. Privacy breaches are becoming more and more common, and no company can avoid them. Companies need to protect consumer information, otherwise, they will be subject to long-term brand reputation tarnishment.
That being said, as part of this enforcement, the GDPR also needs to provide more practical tools for businesses. The GDPR needs to take the practical sides of companies into account and offer more guidance for businesses, so they can make data privacy accessible to individuals.
Gartner predicts that by 2024, “large organizations’ average annual budget for privacy will exceed $2.5 million, allowing a shift from compliance ethics to competitive differentiation.” This is exactly the business opportunity in store for companies. Be a forward-thinking business. Go that extra mile for your customers and leverage the GDPR and data privacy into a competitive differentiation for your customers.