GDPR’s impact goes further than data
The new age of data privacy
In 2018 the EU implemented the General Data Protection Regulation (GDPR), the most comprehensive data privacy law the world has seen. Today, as we take stock of how much things have changed, the answer is both not much and quite a lot.
When it comes to data protection, we’re seeing two different developments: the first is within the EU itself; the second is with other governments. Within the EU the implementation of GDPR is still in its infancy, relatively speaking. As an EU law, it does not have a central enforcement body. Rather, each member country implements and enforces the law in its own way.
So far, we’re only just beginning to see results. While most companies have implemented a GDPR compliance policy, some have adopted a wait-and-see approach. Their eventual policies will depend on the geographies where they operate, the kinds of personal data they handle, and what they do with it. Enforcement bodies are being set up, investigations are ongoing, complaints are coming in, and we are slowly starting to see penalties issued. We are also seeing more guidance from supervisory authorities. Over a year in, it is still early days. More time is needed to get clarity on the impact of GDPR. But one thing is certain – we are all much more aware of data collection and usage practices.
The EU is not alone. Singapore has the Personal Data Protection Act. Brazil has the General Data Protection Law. How those laws will be implemented and enforced remains to be seen.
The most potentially challenging development comes not from a country but from a US state. The California Consumer Privacy Act (CCPA) is potentially one of the most sweeping revamps of data laws. This is a big deal given that California by itself is the fifth largest economy in the world, larger than the UK or France. The law broadens the definition of personal data and creates a litigation risk for any large business that collects or uses that data. The challenge for companies lies both in compliance and the risks of the law – and the fact that it will likely be amended before implementation in 2020.
While these developments do not exactly accomplish the goal of protecting consumers’ data, providing free services, and allowing business to flourish and grow, everyone agrees that inappropriate use of data is an ongoing problem – and that data can be used not only for good but also for evil. This means we must be more vigilant and aware of what data we have, how it is used and how it is protected. Consumers are becoming more and more savvy about which companies are collecting data and what they are doing with it – and they are uncomfortable with some of the practices.
The opportunity for companies, of course, is to use their expertise to educate the world, consumers and companies alike, on how data is collected, stored, and used; what is appropriate use; and what the benefits are to consumers. They should also lead by example in clean and acceptable uses of data. They have a duty to be transparent with end users and consumers and a responsibility to ensure they are using data in a manner that is not only legally permitted, but also ethically appropriate.
Everyone in the industry has a stake in demystifying data and educating the public on what it really is, how we use it, and how we can protect it for the benefit of all. The more people understand, the more likely it is that governments will provide effective legislation. One good place to start would be to explain that privacy policies should not be blindly accepted but read and understood. People need to know what exactly they are agreeing to – and how to opt out, if they choose.
When all is said and done, 2018 looks a lot like 2019. The fruits of our GDPR labour are slowly being realised: companies are examining their practices and exploring the limits of compliance; consumers are becoming more aware of how their data is being used. At the same time, new laws are being proposed – and even passed in some cases. Preparing for them is imperative for businesses.
Without good regulation we could end up with costly litigation, a loss of innovation, and a further erosion of consumer trust. To ensure we get the next phase right, data providers and consumers can help shape the future. There are many opportunities: as people consent to higher quality data being collected, companies are able to adapt to changing needs and ultimately deliver a better service.
This is only the beginning of the story. For better or worse, GDPR challenges may prove to be central to a brand’s growth. The key is to play it right.