The EU’s General Data Protection Regulation (GDPR) came into full force as the deadline for compliance passed on the 25th May 2018. These new regulations apply to all EU companies holding any personal data on an individual, or other companies in the world who have personal data belonging to EU residents. There are dire consequences for failure to comply with GDPR. It can be a fine of up to 4% of a company’s annual income or €20m, whichever is higher. The former is a steeper penalty aimed at severe cases where there is proven total disregard for data privacy. These regulations have just recently gone into force and there is yet to be any reported case of legal enforcement.
The time given to allow a smooth transition into the GDPR era was 2 years, which one might argue should have been enough to allow companies to do proper preparations and comply. Evidently, this was not the case as some companies have been too slow to react while others have blatantly disregarded it. While some companies have been struggling to understand GDPR and how to comply, it is clear that that confusion is still pretty consistent. A good number of companies in the EU are still unprepared and many others seem to have disregarded the urgency of the matter. The same goes for companies in the US who serve the EU market, most of whom are still scrambling to find legal and technical ways to get around. It is evident that this has not been taken with the seriousness it deserves by most companies in the US, with a good number of them making an admission that they have not made any plans regarding GDPR.
A forecast report by Forrester had earlier claimed that 80% of organisations will not be compliant by the deadline date. It also claimed that half of the 80% will take some steps to tackle GDPR while the other half will intentionally ignore it completely.
It might be safe to assume that organisations are looking at this issue from a cost-benefit perspective, where they may be looking at it as an exercise in an attempt to avoid fines. If a company doesn’t prepare for GDPR and still manages to avoid fines, it still loses out on an opportunity to prepare for the future and get itself well ahead in best practices for data protection. It becomes a problem waiting to occur and it will only be a matter of time before they find themselves in a dilemma.
There are numerous cases that have been observed online where companies are trying to get everything done last minute before the compliance deadline. Customers have noted an influx of emails from companies stating changes to their privacy policies within the last few weeks. Many customers have resorted to Twitter to vent their frustrations over clogged inboxes due to bombardment with these emails. This has become somewhat ironic in that while GDPR was aimed at improving sensitivity to user data and related rights, companies have responded by spamming their customers’ emails with desperate attempts to try and sign them up to their mailing lists.
Some of the consequences companies have faced for non-compliance or non-preparation have been witnessed with news websites that have been taken down for EU audiences such as the LA Times. The Chicago Tribune and the Pinterest-owned Instapaper also had to block their EU audience from accessing their sites in order to avoid being in contravention of the regulation.
A massive mistake was made by the ad-blocker company Ghostery, which sent an email to more than 500 customers with all the contacts in the “to” field, thereby exposing their contacts to others. The irony is that the content of the email was to assure them that they have put in place stringent measures to ensure the privacy of their data. This has made the company a target of online ridicule. They finally acknowledged their mistake and apologised for the “technical issue caused by the email sending tool.”
The company arguably most caught up in this data privacy mess is Facebook. One would have thought the first incident with Cambridge Analytica would have prompted a proper and comprehensive response on the data privacy issue, and in the case of the EU, GDPR compliance. While it might be inaccurate to claim nothing has been done to salvage or improve the situation, there are new reports that Facebook has screwed up again. The company has acknowledged that millions of users who had not given express permission for their data to be shared, and were only sharing data with their friends, have had their data exposed to everyone because of a software bug. This new case is said to have affected 14 million users during a ten-day period in May and the company has committed to beginning the process of alerting affected users.
Such embarrassments by companies could have been avoided by taking proper measures earlier on. GDPR brings about the notion of consent, which does not mean that companies should no longer use customer data. It only means that data can be used for processing whenever it is strictly necessary for the service but not when using it for additional purposes such as an advertisement. For cases in the latter category, users must be given a real choice of either Yes or No. Google for instance has been sued for a failure to provide such explicit choice when activating the Android operating system. This goes to show just how much there is to lose if companies do not make a real investment in GDPR compliance.
More on GDPR
Using the Blockchain to Secure Sensitive Information
The internet is in bad shape right now. After nearly two decades of tech innovation and mass participation on the...
The Internet Is Being Destroyed By Internet Companies
As the US slowly waves goodbye to net neutrality and Europe ushers in a new privacy age, now is the perfect...
RegTech: Solving Greater Regulatory Pressures
With all the new global regulations that have been introduced after the financial crisis of 2008 (among them Basel II,...