It’s now more than 6 months since the European Union’s General Data Protection Regulations came into force, which means we’ve had time to reflect, look at what changes it brought about and the impacts it had on businesses in the UK, Europe and even the wider world. Touted as one of the most significant pieces of legislation ever introduced by the EU, there was considerable debate in the run up as to how the legislation would change business practices, whether it was fair, what would happen if it wasn’t adhered to, and what it meant for the future. Let’s take a look.
The main thing we learned is that a very large number of businesses simply did not have their house in order when it came to data protection and handling. While the GDPR specifics did require a fair number of changes, most of them should actually have been straightforward for businesses that already had a good handle on the data they held and how it could reasonably be used. Subject access requests for example were seen as a potentially time consuming and expensive processes for businesses, but the reality is that businesses who already had good documentation wouldn’t need to spend too much time gathering together the data they held about a person. Unfortunately, many businesses had to spend a lot to time and money doing what they already should have, in order to comply with GDPR.
It’s important for all businesses to remember that it isn’t too late to make sure that your operations are on the right side of the law. Thousands of businesses are still not following the regulations as they should, and it’s still worth making efforts to comply.
Virtually everyone will have noticed a significant decline in spam and unwanted marketing emails this year. GDPR appears to have had a real effect on cutting down unwarranted communication and use of customer data. The large fines that had been threatened were clearly enough to discourage businesses from buying, selling and using large mailing lists that consisted of people who had not consented to receiving such communications. It was perhaps not obvious until GDPR was put into effect, quite the level of intrusive communication we as a society had put up with for so long.
As GDPR covers all EU citizens, it’s also a significant consideration for international organisations that do their business in the United Kingdom. We saw a large number of websites in particular decide that rather than go to the effort of complying with GDPR, they simply stopped serving customers from the EU. This is especially true for news sites, including fairly popular outlets including the Chicago Tribune and Car and Driver. Some have since changed their setup and provided the experience that GDPR demands, but it remains to be seen if certain outlets will continue to see GDPR as an excessive demand not worth adhering to, to access the EU market.
Much of the panic surrounding GDPR as the deadline loomed was as a result of the potentially high fines, which can run into the millions. Many were unsure if high fines would be commonplace, or even if they’d ever be applied at all. The truth so far has been somewhere in the middle. There haven’t been many fines yet, despite many businesses still not complying with the law, and those fines haven’t been excessively large. An Austrian law firm was the first to be hit, with a bill totaling less than 5000 euros, and a German social media firm is also due to receive a 20,000 euro fine.
Ultimately, we’re still in the early days of GDPR. Businesses are still finding their feet, and there’s still leniency from the authorities. Any businesses not in compliance should however focus on making sure their data handling practices are in order. Here at Virtual College, we believe businesses should do everything they can to be fully informed on the subject. We offer both free GDPR resources, as well as GDPR training in the form of our online GDPR course.