Two years to the day since its enforcement, GDPR is beginning to have a real impact, but how seriously individual organisations are taking the regulation is still tied to their resources, according to privacy advocates.
Locally, SailPoint, an identity management company, reports GDPR has contributed to Australian organisations being more concerned about their data governance and many are making the investments to back it up.
Privacy Affairs, an advocacy group that evaluates privacy tools, has been tracking enforcement of Europe’s landmark data regulation, which came into effect two years ago today.
Speaking to Which-50, Privacy Affairs’ Marcus Clarke said while enforcement has varied across European nations, the amount of media and legal coverage suggests GDPR has at least elevated the importance of data privacy and protection.
“I believe it has achieved this [awareness] purpose,” Clarke said. “Although whether it has led to an actual reduction in data misuse is debatable.”
GDPR breaches are still occurring frequently but enforcement varies across European nations, as shown by the variance in fines handed out, according to Clarke.
“Something we find noteworthy is the disparity in the amount organisations are being fined by different European countries’ for quite similar offences.”
Christopher Rodrigues, head of Marketing, APAC, at SailPoint, a global identity management provider, says like national regulators, individual organisations also had differing interpretations of GDPR.
“In the first year of GDPR, it was so new to organisation’s that each had their own interpretation of the law – for example, do I have to have a double opt-out clause from a database?” Rodrigues told Which-50.
“Organisations have made huge investments and have put measures in place to ensure they are compliant and do not break any laws.”
However, Privacy Affairs’ Clarke notes smaller organisations aren’t as well equipped to comply.
Larger organisations though, are more aware of the risks – GDPR penalties can be as high as four per cent of a companies global annual turnover, Clarke says, and have the budgets for both compliance and to challenge regulators when they’re caught out.
According to Privacy Affairs GDPR fine tracker, tech giants and large multinationals have so far largely escaped the huge fines many were expecting the data regulations to bring, outside of one £50 million fine for Google in France.
In 2019, the UK’s data regulator, the ICO, gave notice of fines of more than £280 million combined for British Airways and Marriott hotels for failing to protect customer records. But the ICO, which has an annual budget of just over £2m, looks set to revise that fine down after needing to extend its negotiations with BA and Marriotts high powered legal teams, according to The Register.
While a lack of huge binding fines can be a good thing in regards to GDPR’s effectiveness, Clarke says, it can also be evidence of the uphill battle’s regulators face.
“[With] the BA and Marriott International cases showing no sign of concluding [it] tells me that the companies that would get the biggest fines also have the most expensive legal teams.”
SailPoint’s Rodrigues insists there has still been a “tremendous upside” overall to the landmark data regulation.
“If anything, it has improved customer confidence. From a company standpoint there has been a significant amount of trust that has been built (between consumer and company); it has also been an excellent opportunity to clean up the data. The flow-on effect to this is having relevant data and giving the company the chance to do more with less.”
The tradeoff for that privacy for consumers is more active involvement in website cookie tracking, typically through pop-up warnings, Rodrigues says. For businesses it is the cost of potential penalties, although Rodrigues notes compliant organisations have little to worry about.
Rodrigues says regulations like GDPR along with the current pandemic, which has forced organisations to think differently about customer and employee information, is leading to improved governance.
“As marketers, using this personal information calls for a rethink on the following; how it is used, what is the company (that is storing the data) standpoint on having this information, when do you stop using it and does the information get deleted forever or does it stay in the database?”