One week ago we celebrated the third anniversary of the European Union’s (EU) General Data Protection Regulation (GDPR) coming into effect. This regulation granted new privacy rights to EU residents and set forth stringent punishments for organizations that violated its rules and obligations. It was groundbreaking and redefined the global privacy landscape.
Needless to say, the GDPR rollout inspired a multitude of questions about what was to come. Questions such as: How will this regulation impact IT organizations? Which types of companies will be subject to the regulation? What will companies outside of the EU need to do? And, perhaps most important, how will compliance programs need to evolve?
Three years later, it’s clear that the GDPR has made a significant mark on the world. Businesses and consumers alike have become more aware of—and concerned about—data use and privacy. Organizations have changed their practices in response, and consumers and lawmakers are advocating for more protection and rights. And, of course, the law has had repercussions, with some large players, such as British Airways and Google receiving substantial fines.
It’s undeniable that the GDPR has set the standard for data privacy. Here are the three biggest takeaways of three years with the GDPR:
The GDPR established several consumer rights that allowed consumers to request, manage, and delete their data. For businesses, this created a pressing need to honor these rights and to avoid any potential penalties for noncompliance. As a result, companies have implemented workflows that let them receive and respond to consumer requests in an efficient and effective manner.
With the introduction of the GDPR, an entire market has developed to support these efforts. This market continues to grow at an incredible rate. Auditors, such as my firm, work closely with companies on complex compliance programs. And various software tools let organizations automatically manage information requests. From partners to platforms, businesses can turn to an ecosystem of resources to build their privacy programs and meet the demands of the GDPR.
I have no doubt this market will continue to grow as more privacy regulations come into play globally. Compliance will continue to become more nuanced and complex, especially for organizations operating across borders or processing data from global users. These organizations will continue to need partners and tools to meet those needs.
Prior to the GDPR, many consumers were unaware of the types and vast amount of personal data companies collected. However, the GDPR, along with breaking news stories about data privacy, such as Cambridge Analytica in 2018, awakened consumers to how their data gets used in ways they never anticipated.
This rise in consumer awareness created pressure for greater protection and rights for individuals. Though the jurisdiction of the GDPR focuses on consumers residing in the EU, it inspired consumers living in other countries to ask questions like: Why don’t I have those privacy rights? And, what laws protect me?
Today, consumers are becoming more aware of and concerned about their data privacy than ever before. Pew Center research revealed that more than half (52%) of U.S. adults have decided not to use a “product or service” following concerns around privacy. Of that group, the most common concern (15% of respondents) was giving out general personal information.
Consumers are increasingly holding companies more accountable and demand protections for their personal information.
Increasing consumer concerns have inspired the growth of new privacy laws. Consider the U.S., where the state of California passed the California Consumer Privacy Act (CCPA) in 2018 and where expanded legislation will come with the California Privacy Rights Act (CPRA). Today, around 28 U.S. states have either passed privacy bills into law or have bills working their way through legislation.
Although all the different laws are unique, the GDPR serves as the inspiration for many, resulting in similar rights and restrictions. We can expect to see more global, state, and federal regulations start to emerge in the near future.
In only three years, the GDPR has left an impressive mark on the global business landscape. Organizations that haven’t been paying attention to the GDPR must take notice because cybersecurity programs must continuously improve to protect a consumer’s personal data.
Privacy has become a top-of-mind issue that revolves around consumer awareness, business practices, and legislative progress. As our lives continue to move online both at work and at home, the GDPR will continue on as a landmark for privacy, risk, and consumer protection.
Chad Gross, associate director of services and international operations, A-LIGN