GDPR in practice: The General Data Protection Regulation starts achieving its intended goal
For a number of companies and consumers, 25 May 2018 was a revolutionary milestone in terms of personal data importance. Partly given the significant attention paid by the media, consumers and organisations started recognising their respective rights and obligations. The regulation, which was approved in April 2016 and came into effect two years later, resulted in a number of changes in the functioning of the affected organisations. What changes were they? What is the public perception of the GDPR? Has anything changed in practice at all?
Viewpoint one: consumers
In general, with the practical introduction of the GDPR, consumers have been more interested in their personal data and the form of their subsequent processing through organisations to which the data were provided. Customers are more cautious about the companies that they do not know too well or that have a bad reputation from prior years and they are more likely to read the terms of personal data protection in the companies.
Do you know that… A third of users admit that they do not read company arrangements on personal data protection at all. For more than a half of respondents, potential misuse of personal data for the benefit of a third party is a significant risk and nearly 20% of respondents confirmed potential termination of a business relationship with an organisation from which the personal data disclosed would leak. More than a half of respondents are willing to provide additional personal data in exchange for an option to receive a personalised proposal or a discount. The positive news is that for the same number of respondents, the personal data protection issue has been clearer now.
In terms of exercising rights, the most common knowledge among respondents is that consents may be recalled while the option to transfer and access personal data is the least used right. The study shows in general that more than a half of respondents are aware of the rights resulting from the GDPR; however, only 12% of respondents have ever exercised them. The proportion represents a relatively high number of informed users compared to the results of studies on the implementation of other regulations, where awareness usually ranges between 10-30%.
Viewpoint two: organisations
Preparation for 25 May 2018 required from many organisations much time as well as significant financial investments that the companies continue to make after the key date in May. Many of them increased their HR capacities due to the GDPR implementation but in their opinion, they are still insufficient. The most frequent obstacle is the lack of funds for the long-term engagement of external human resources. In terms of increasing in-house resources, firms often face a low number of qualified people on the labour market, which primarily relates to the low unemployment rate.
At the same time, 92% of organisations have confirmed that they have been able to keep the implemented standards in the long-term horizon. It may be concluded that most organisations use various internal and external tools to support GDPR-related activities. Another crucial factor is the ethical and responsible behaviour of organisations in the sector. Compliance with the rules relating to the GDPR implementation is one of the key factors in building an organisation’s confidence and good reputation. 59% of respondents agree with this statement. Nearly a half of respondents believe that now organisations have been committed to correctness in personal data management more than before the GDPR implementation. The consumer awareness of the processing and using data by organisations has also increased.
We did extensive research on the GDPR in 11 countries covering 2,750 respondents. The purpose of the study was to identify the progress of implementation and the impacts of related GDPR measures from the point of companies and the affected consumers half a year after the effective date. Are you interested in more details? Look through the entire report.
View of practice: The GDPR in the Czech Republic
What is our experience from GDPR projects? We can confirm that the study conclusions correspond more or less to our experience from the implementation of projects in the Czech Republic. The GDPR’s coming into force resulted in a wave of applications to exercise data subject rights, which was in many situations driven by the initial euphoria in finding out “what the company knows about me”. The number of applications has continuously decreased with time and after six months, the exercise of rights is more frequently required by persons who have a real interest in exercising some of their rights than it was shortly after the effective date.
On the part of companies, the initial stress from the effective date has been released, many companies have been working on fine-tuning and increasing the effectiveness of their processes, which were often designed in a hurry in order to meet the deadline in May. Some of the organisations consider a possible synergy with the expected ePrivacy regulation. The regulation aims at protecting the content of communication (such as instant messaging, VoIP, e-mail and communication services) together with the data produced by these means of communication. In business terms, we can expect considerable impacts on possible monetisation of data collected through cookies.