100 days ago, the General Data Protection Regulation came into force with the goal to give control to individuals over their personal data. Around the May 25th there was an atmosphere of panic, email inboxes were jammed with messages form companies asking for opt-in and permission to use personal data. Some websites even temporarily shut down their services in Europe and some are still closed. After being a big topic in May, it has become quiet around GDPR and it is therefore time to ask, what did GDPR change?
GDPR requires companies which collect, store or process personal data to put in place technical and organizational measures to implement the data protection principals. This means data must be anonymized or pseudonymized, the privacy settings must be the highest-possible by default and the personal data can only be processed with the owner’s consent.
Under GDPR, the management is responsible for the data protection. A company violating these regulations can be fined with up to four percent of its annual worldwide revenue or up to 20 million Euro and stockholders can sue the company and their managers if they negligently lead the company or violate internal laws.
The main concepts of the law were not new. For example, the old federal data protection law of Germany is very similar to the new GDPR. The difference was, that no one cared and followed the law. The German post, for example, helped parties with customer information during the election campaigns, the association of cities and towns considered to sell data about their citizens including their habits, and collection agencies created detailed profiles about debtors which were stolen right afterwards. So far, the penalties for violating the data protection law were so low and often very different for every country, such that most companies and website providers didn’t care at all.
After 100 days with GDPR in effect, bigger companies adapted their services, procedures and websites to be GDPR compliant but there is still a vast number of websites and companies not fulfilling the requirements. According to research by TrustArc, 27% of the EU-based organizations are GDPR compliant. In the UK, 21% fulfill the GDPR requirements, while only 12% of the US companies do.
However, most of the EU and UK based companies expect to be GDPR compliant by the end of 2018. Probably it’s going to need some more data scandals, a few CEO suspensions and huge fines until most companies and services handling personal data of European citizens apply GDPR.
Another aspect heavily discussed in advance was the effect of GDPR on the business. So far, Facebook blamed GDPR for losing half a million monthly active users across Europe and a slowdown in advertising revenue. Especially the “opt-in” requirement was the reason why many companies lost parts of their market. Companies report a decrease of 25 to 40 percent of their addressable market.
Overall GDPR was a big and necessary step to more privacy and personal data protection. Not all companies are GDPR compliant yet and some even retrieved from the European market entirely. But the major part adapted their services and therefore, also persons outside of the European Union benefit from GDPR as global companies made it to their standard.
Related Posts
Download SnowHaze
