Law 

GDPR in practice: The General Data Protection Regulation starts achieving its intended goal

For a number of companies and consumers, 25 May 2018 was a revolutionary milestone in terms of personal data importance. Partly given the significant attention paid by the media, consumers and organisations started recognising their respective rights and obligations. The regulation, which was approved in April 2016 and came into effect two years later, resulted in a number of changes in the functioning of the affected organisations. What changes were they? What is the public perception of the GDPR? Has anything changed in practice at all?

Viewpoint one: consumers

In general, with the practical introduction of the GDPR, consumers have been more interested in their personal data and the form of their subsequent processing through organisations to which the data were provided. Customers are more cautious about the companies that they do not know too well or that have a bad reputation from prior years and they are more likely to read the terms of personal data protection in the companies.

Do you know that… A third of users admit that they do not read company arrangements on personal data protection at all. For more than a half of respondents, potential misuse of personal data for the benefit of a third party is a significant risk and nearly 20% of respondents confirmed potential termination of a business relationship with an organisation from which the personal data disclosed would leak. More than a half of respondents are willing to provide additional personal data in exchange for an option to receive a personalised proposal or a discount. The positive news is that for the same number of respondents, the personal data protection issue has been clearer now.

In terms of exercising rights, the most common knowledge among respondents is that consents may be recalled while the option to transfer and access personal data is the least used right. The study shows in general that more than a half of respondents are aware of the rights resulting from the GDPR; however, only 12% of respondents have ever exercised them. The proportion represents a relatively high number of informed users compared to the results of studies on the implementation of other regulations, where awareness usually ranges between 10-30%.

Viewpoint two: organisations

Preparation for 25 May 2018 required from many organisations much time as well as significant financial investments that the companies continue to make after the key date in May. Many of them increased their HR capacities due to the GDPR implementation but in their opinion, they are still insufficient. The most frequent obstacle is the lack of funds for the long-term engagement of external human resources. In terms of increasing in-house resources, firms often face a low number of qualified people on the labour market, which primarily relates to the low unemployment rate.

At the same time, 92% of organisations have confirmed that they have been able to keep the implemented standards in the long-term horizon. It may be concluded that most organisations use various internal and external tools to support GDPR-related activities. Another crucial factor is the ethical and responsible behaviour of organisations in the sector. Compliance with the rules relating to the GDPR implementation is one of the key factors in building an organisation’s confidence and good reputation. 59% of respondents agree with this statement. Nearly a half of respondents believe that now organisations have been committed to correctness in personal data management more than before the GDPR implementation. The consumer awareness of the processing and using data by organisations has also increased.

We did extensive research on the GDPR in 11 countries covering 2,750 respondents. The purpose of the study was to identify the progress of implementation and the impacts of related GDPR measures from the point of companies and the affected consumers half a year after the effective date. Are you interested in more details? Look through the entire report.

View of practice: The GDPR in the Czech Republic

What is our experience from GDPR projects? We can confirm that the study conclusions correspond more or less to our experience from the implementation of projects in the Czech Republic. The GDPR’s coming into force resulted in a wave of applications to exercise data subject rights, which was in many situations driven by the initial euphoria in finding out “what the company knows about me”. The number of applications has continuously decreased with time and after six months, the exercise of rights is more frequently required by persons who have a real interest in exercising some of their rights than it was shortly after the effective date.

On the part of companies, the initial stress from the effective date has been released, many companies have been working on fine-tuning and increasing the effectiveness of their processes, which were often designed in a hurry in order to meet the deadline in May. Some of the organisations consider a possible synergy with the expected ePrivacy regulation. The regulation aims at protecting the content of communication (such as instant messaging, VoIP, e-mail and communication services) together with the data produced by these means of communication. In business terms, we can expect considerable impacts on possible monetisation of data collected through cookies.

General Data Protection Regulation GDPR
Law 

The pros of having a strong and independent competition authority

The interaction of firms on the market is strongly regulated and competition authorities should make sure that firms do business on an equal playing field. In a competitive environment, the pressure on efficiency and effectiveness is ever greater. In order to withstand this trend, firms must keep coming up with quality and innovative goods at better prices. This is beneficial not only for consumers. Greater purchasing power of consumers and growth in firms’ production ultimately contribute to the growth of the entire economy. If the rules in place are followed, firms will remain driven to offer a wide range of quality and innovative products at low prices. 

15. 3. 2019
Law 

Google Receives a Fine of EUR 50 Million for Violating the GDPR

On 21 January 2019, the French equivalent of the Czech Office for the Protection of Personal Data (the “OPPD”), Commission nationale de l'informatique et des libertés (the “CNIL”), imposed a fine of EUR 50 million on GOOGLE LLC for violating the General Data Protection Regulation (the “GDPR”). The fine was imposed for lack of transparency in processing personal data, for insufficiently informing data subjects, and for invalid consents relating to the personalisation of advertising. This is by far the greatest sanction imposed to date since last May, when the Regulation came into effect. 

27. 1. 2019
Law 

11 pieces of advice and recommendations to get the better of the personal data protection regulation

The General Data Protection Regulation or the GDPR was one of the most discussed topics last year. Its compulsory implementation in practice, which occurred in May 2018, was preceded by stormy debates, careful preparations of stakeholders and uncertainty about the practical consequences the regulation would produce. At a business breakfast held at the end of the last week, we assessed the first six months of the GDPR’s implementation. We have selected the 11 most interesting pieces of advice and recommendations to help you find out whether the steps you have taken are in line with the regulation and what to do to achieve compliance. 

22. 1. 2019