On May 25, 2018, General Data Protection Regulation (GDPR) will enter into force, repealing the 1995 non-legally binding European Union (EU) Data Protection Directive. GDPR enhances European citizens’ right to privacy by enshrining the “right to be forgotten,” establishing concepts like “privacy by design” and by setting aggressive timelines for businesses to report data breaches.
GDPR applies to any company that collects data from EU residents, including firms based outside of Europe. Compliance with the regulation is mandatory and those found non-compliant can be fined up to EUR 20 million, or 4% of a company’s annual turnover (whichever is higher). The preparation for the complex and detailed regulation and the clear assignment of the responsibility for the protections of individuals’ information have resulted in significant costs for companies. The “GDPR doomsday clock” has been widely depicted across the internet, visualizing companies’ anxieties about the new regulation.
Why GDPR matters
GDPR is about much more than just compliance and potential fines. It is about corporate culture, and the awareness and respect for individuals’ right to privacy. Privacy is a fundamental human right, enshrined in the UN Declaration of Human Rights, the International Covenant on Civil and Political Rights and in many other international and regional treaties. In the modern digital age of big data and constant monitoring, privacy has become one of the most important human rights issues.
Yet, the degree to which individuals care, or are aware of their right to privacy and the violations thereof, differ. For instance, a wealth manager’s client may not object to the company collecting data on his private life, such as his wife’s birthday, for the purpose of sending business courtesies to enhance the customer relationship. However, a bank customer may find it unacceptable to receive personalized advertisements from third-parties based on past payment behavior, or an insurance customer may not want their car’s GPS, speed and driving data tracked in order to adjust the terms of their car or accident insurance policies.
The important questions are: what type of data is collected, for what purpose, to what extent do third parties have access to it and how is it processed and protected? Clear and intelligible answers alongside clear contact and complaint mechanisms, as stipulated by the GDPR, enhances clients’ awareness of their rights and the opportunity to exert control over their personal information.
It is important for individuals to understand that they are the only rightful owner of their personal identifiable data; they have the right, as well as the means, to control their data flows; and they are entitled to hold data collectors and processors accountable for how their data is managed. Similar to the right to vote, individuals need to be educated about their privacy rights in order to fully exercise them. They need to understand and own their individual right to privacy and to be forgotten. GDPR and its core concepts strengthen citizens’ awareness that their personally identifiable information belongs to them, and not to the corporation collecting or processing their data.
Furthermore, GDPR establishes the structures for individuals to be able to hold corporations accountable, for instance, by the mandatory assignment of a data protection officer at corporations.
GDPR has the potential to advance society by improving privacy practices at corporations. This will, however, only be possible once it moves from being a complex piece of regulation that companies are struggling to comply with to becoming something ingrained in their processes and ultimately their corporate culture. This shift will take time.
Fines and controversies
Empowering individuals to exercise and control their right to privacy and holding companies accountable are big achievements of GDPR. Since enforcing and controlling its implementation is likely to be a difficult task for the EU, it remains to be seen how fines will be applied.
A recent study found that 40% of UK consumers intend to exercise their data privacy rights in the next six months, following the implementation of GDPR. Financial services, retail and social media companies are most likely to be hit the hardest with personal data requests.
Analysts of GDPR’s impact will be busy in the months and years to come. First, monitoring institutional enforcement, such as fines or warnings of non-compliance, will contribute to assessing the financial impact of the regulation. Second, scrutinizing data breaches and leaks, while evaluating how soon individuals have been informed, will be part of understanding the operational impact. Third, NGO and media reports, and the voices of concerned individuals, privacy defenders and social movements supporting enhanced privacy rights could shed new light on the reputational impact of not having adequate privacy practices in place.
As large-scale controversies, involving massive data collection and high-profile data leaks, shake individuals’ confidence, the importance and understanding of the right to privacy are likely to increase. Companies that do not embrace the core concepts of GDPR, such as integrating transparency and accountability into their privacy practices and embedding the protection of individuals’ right to privacy in their corporate culture, run the risk of incurring financial, operational and reputational damage in the long run.