GDPR –Are companies complying? Was the impact too soft?
A survey conducted last September by Talend (a US global leader in cloud data integration solutions) found that 70 percent of surveyed companies from around the world that conduct business in Europe did not meet requests to provide individuals with a copy of their personal data within one month. This is also known as “Subject Access Request” (SAR) arising from article 15 (right of access by data subject) and article 20 (right to data portability) of the GDPR. Under the new data protection law, companies are obliged to provide the individual with information kept on records within one month of request.
It transpired that 35 percent of EU-based companies were meeting SARs within the legal time frame when compared to 50 percent of companies outside Europe. This research-based exercise was conducted on 103 companies from across a myriad of industries including retail, media, technology, public sector, finance and travel. It was also concluded that although many of those surveyed understood the importance of GDPR, many others were not taking action when it came to personal data in terms of technology and processes.
As Talend rightly pointed out, this matter was a concern given that SARs are not something new under GDPR, since they were already present in the previous Directive. The findings showed that the average response time was 21 days, while 65 percent responded within 10 days, only to be surpassed by mobile banking and tech companies which generally responded within one day. On the other hand, those businesses which started offline had to struggle with legacy systems and were slow to respond.
Talend’s senior director of data governance products, Mr. Jean-Michel Franco stated that “GDPR presents an opportunity to engage with customers and build loyalty. It’s vital for businesses in the digital era to have a 360-degree view of customers.” Moreover, “businesses must ensure that data is consolidated and stored in a transparent and shareable way.”
One certainly looks forward to comparing results with a similar survey conducted on the first anniversary since the implementation of GDPR to see if there have been any significant positive changes.
Was the impact too soft?
Those who have a keen interest in this topic of law or have been somehow impacted through involvement in their profession surely agree that GDPR was both an ambitious and probably the toughest piece of legislation in the sphere of privacy and security to date. The legislators were committed towards better safeguards that guaranteed users better control over their personal data.
While people might assimilate GDPR with the never-ending requests for consent that they were bombarded with through “pop-ups” and e-mails, especially before the 25th of May 2018, the EU had better reasons to give people more control over their personal data. All EU citizens and residents who use computers and other electronic devices have a say over those companies who handle their personal data. This means that people are only “lending” their personal data and it also means that it remains theirs. EU citizens and residents have a right to:
- information on how their data is processed;
- access of their personal data;
- have their data corrected;
- have their data erased (e.g. unlawfully used);
- object if their data is used for marketing purposes;
- restrict the use of their data for specific purposes;
- request to have decisions involving personal data made by automated processing to be made by natural persons not only computers.
GDPR provides for enforcement in case of violation of the regulation by allowing authorities to impose hefty fines of up to 4 percent of global revenue or 20 million euro, whichever the higher. Therefore, GDPR places a lot of responsibility on companies that process personal data, especially in those circumstances where data is collected without authorization or reason.
Another requirement imposed on companies is that of having appropriate data security, transparent processing and the responsibility of notifying the persons affected by a breach within 72 hours. Unfortunately, this obligation has not been followed by big tech companies like Facebook who have been reported of notifying their customers about their data breach two months later.
Despite GDPR entering into force more than 9 months ago, to some experts in the field it has been somewhat of a mixed bag. Companies may have updated their privacy policies and tools that provide users with more control and adopted ways of deleting data on request. However, many others have adopted a more lenient approach and may still be in default especially when it comes to consent and control. This is disappointment when considering that the regulation was a forward-looking law promoting “privacy by design” (privacy at the initial stages of the developing process of the product). Moreover, since the media focused on data breaches by big tech companies and the staggering fines imposed, the perception might have been that GDPR only concerns big companies like Facebook and Google.
Raegan MacDonald, the Head of EU Public Policy at Mozilla said that, “2018 was the year of implementation, while 2019 will be the year of enforcement.” Rightly so if one had to follow the continuous growth of the Irish Data Protection Commissioner office where the above-mentioned big tech data have their EU headquarters.
On the other hand, one cannot discount the fact that according to Brussels (Reuters) the European data protection regulators received more than 95,000 complaints about possible data breaches within the first eight months after the adoption of GDPR. Clearly it can be said that GDPR had a positive impact on the people as it has made them more aware of the issues regarding personal data.
If one had to sum up the impact of GDPR in 2018 one can agree that there has been an increase in awareness in handling of personal data that has encouraged companies to change their approach. It is undoubtedly certain that 2019 will see some big investigations while GDPR’s impact will keep on growing.
The article has been published on the Malta Independent on Sunday, 17 March 2019