Status of the GDPR: more than a month since its implementation

One month after the implementation of the General Data Protection Regulation, the effects of this new legislation, which seeks to protect the privacy of citizens, are already evident. The concern of these is clear to see how complaints increase during the first days. We review this and other consequences of the GDPR.

On May 25, 2018 marked a turning point for the processing of personal data within the European Union. It had already been two years that the EU had left for companies and states to adapt to the General Data Protection Regulations (RGPD, or GDPR, for its acronym in English).

The GDPR seeks to give greater importance to users; protecting their personal data and offering them better privacy and new rights to defend themselves. In this blog we have already talked about how the change in the definition of informed consent will affect and how these changes will affect the health sector and laboratories.

It has already been more than a month since its implementation and its first effects and consequences have begun to be noticed in various aspects.

Increase in complaints and security breaches

To get starter, regulators have seen complaints and complaints increase markedly, as noted by the Office of the Information Commissioner of the United Kingdom.

The CNIL (French organization), has reported that there has been a 50% increase in the number of complaints since the implementation of the GDPR. In Austria, the number has risen to one hundred complaints and 59 notifications of security breaches in a single month. These figures were normally reached in eight months before the GDPR.

The fines that can be faced by companies that do not comply with the regulation (€ 20 million or 4% of their turnover, the amount that is higher than the two) has led to a superior number of safety reports and that occur much faster than before.

In addition, at European level, the control agencies have yet to investigate and resolve 29 cases that could go against the GDPR. Looking at this data, it seems that both official organizations and citizens are taking into account the new regulation and are committed to its compliance.

The consolidation of large companies

Experts indicate that one of the sectors most affected by the implementation of the GDPR will be online advertising, which depended very strongly on the data collected from users browsing the Internet and showing them ads in a segmented manner.

This change in legislation has led to the further consolidation of the most dominant positions of companies such as Google and Facebook and the most affected are small and medium. They have more difficulty adapting and some have even been forced to move their businesses out of Europe to avoid large fines.

Two days before the GDPR came into effect; European advertisers spent half of their marketing budget on Google, while on the first day of the GDPR this percentage amounted to 95%, confirming the domain that the company has consolidated.

Complaints from the United States have not been slow to arrive, whose society is especially sensitive today because of the scandal of Facebook data. The legal protection of privacy in that country is outdated (some laws date back to the 18th century) and are threatened by European legislation, which is on its way to becoming global norms.

Many countries outside of Europe, such as Canada or South Korea, have seen this new legislation as a way to follow and are already working to adapt it within their national contexts.

Within the European Union, there are still many countries that have to implement the GDPR within their legislations. The Commission indicates that less than half of the members (only twelve states) have carried it out. Among the lagging countries, there is also Spain.

The greater protection of the users has produced a change of mentality within the companies and they have begun to demand only the data they need. This also benefits the Big Data workers. It is estimated that data scientists spend 60% of their time in the process of organizing and classifying all information.

Increase in security

The GDPR also requires the highest possible security methods to protect the sensitive data of citizens, which is why this will mean an increase in research and development in the security sector.

Pseudonymization is one of those measures that are already being implemented, which consists of replacing the data with another denomination (pseudonyms) for greater protection.

The GDPR considers pseudonymization as a technique to “reduce risks for those interested”, although these pseudonyms continue to consider them as personal data and, therefore, continue to be protected by this regulation.

Those companies that cannot afford such high security standards have begun to choice to what are called data trusts. In this way, data protection tasks are outsourced to organizations specialized in managing them, anonymizing them and analyzing them.

When companies realize that users are now more suspicious when it comes to sharing their personal data and giving their consent, some are experimenting with new business models to satisfy those most unwilling. Through a freemium model, those who do not wish to receive such traditional and segmented advertising will be able to pay.

The Washington Post has already launched this system and that service without advertising has been called “Premium subscription EU”, in clear reference to the European Union and new GDPR. Meanwhile, the Los Angeles Times continues to block trafficking from the EU.

The numerous complaints received to date by the regulatory organizations show that among the citizens there was a real concern about their personal data. The implementation of the GDPR has forced the protection to be enhanced, with stricter security measures, and with higher fines in the event that the provisions are not complied with.