Development Group
BLOG

Data Security

Back to Blog

GDPR and its aftermath

December 6, 2018

The idea behind GDPR

Today’s digital ecosystem with all its growth and development is hardly resisting the privacy and data breaches. Sometimes such breaches affecting tens and hundreds of millions people around the world and include such cases as “The massive Yahoo data breaches in 2013 and 2014”, “The eBay security breach in 2014”, “50 million Facebook profiles harvested for Cambridge Analytica” and many others. So the GDPR goal is to protect EU internet users from the illegal use of their data, mitigate the effects of possible data breaches and give more transparency over how, where and for what purpose companies employ the user's personal information. And while EU internet users or, officially data subjects, are benefiting in numerous ways from the enactment of the GDPR, for companies such a legislative innovation bringing some complications.

How GDPR applies to companies globally

Ensuring compliance with GDPR turned out to be a very time and money consuming task for all tech companies. Not only the company itself should be GDPR compliant, but also make sure that they work with subcontractors that are also compliant. The GDPR also imply the operative reporting of internal and external data breaches within 72 hours unless the personal information was anonymized. Additional obligations will include the need to keep internal records of data protection activities, training of different departments, working on operational procedures, and processes and, finally, reviewing and updating the Privacy Policy and other related documents of the company. All these requirements along with some ambiguity of some provisions in the GDPR put many companies in a position far from being GDPR compliant.

So, according to the Crowd Research Partners report, only 40% of companies were considered as GDPR compliant by the time of approaching deadline at the end of May. However, the later report, released in July, has discovered that only 27% of EU companies reported their compliance, and even less in the UK (21%) and the US (12%). Undoubtedly, such statistic tells that companies still have a lot of work to complete in this direction.

Getting GDPR compliant

The GDPR topic has gained an enormous amount of media attention, especially in the first day of the regulation enforcement. At that time were also presented first complaints against such digital giants as Google and Facebook. Considering the fines up to 4% of the company’s global revenue for violations of GDPR, this could have been resulting in EUR 3.7 billion for Google, and up to EUR 3.9 billion for Facebook. This fact forced many companies took some action toward compliance under the threat of potential fines. These actions included providing users with more tools to check what kind of their personal information is used by the company, updated privacy policies, and even limiting the use of the company's services on the EU market in some cases.

Already in the first days of GDPR in action, many of the US-based companies have limited their presence in the EU area by stopping programmatic ads buying, running separate versions of their websites and even blocking the EU-based visitors. However, such actions do not appear to be beneficial for any of the sides, and many American companies have a way too big European audience to shut down their services in the EU.

Short run VS Long run

In general, even a few months later after the enforcement of GDPR, an analysis of privacy policies from 14 of the biggest digital companies points at the fact that they all use unclear language and provide the insufficient amount of information for their users. Even the GDPR itself is a work in progress, which need some more time to show its effectiveness in the long run.

In the short run, it’s clear that the EU has become a more challenging market for different companies whose advertising model depends on trading in their users’ data. There are also another issues associated with the enforcement of GDPR such as the reduced ability of companies to track and prevent cybercrime, the struggle of free services to stay afloat without a 'personal user data' fuel, and many others. Big things are better visible from a distance, so later we will better understand whether GDPR and its influence on the world digital ecosystem for good or not.