GDPR Year 1

GDPR: Some Thoughts on Year 1

This Saturday marks one year to the day that GDPR was enforced. 3 things are clear:

  1. The self-serving scaremongers were, as I suspected, full of $*%&;
  2. Anyone wondering why there have not been more fines continues to be ignorant of the true intent of GDPR; and
  3. Interest in GDPR took a nosedive after May 25, 2018

Re: Bullet 1.: The GDPR fines to date across the whole of the EU have totalled €56M, a full €50M* of which was levied against a single organisation (against Google by CNIL). So that’s it, €6M in fines for EVERY OTHER organisation in the world. In one year. This is good.

Re: Bullet 2.: Are you really surprised that fines have been so infrequent and relatively light? The UK’s Information Commissioner herself could not have made it more clear that fines would be a last resort. But good news never sells, does it?

If you’re looking for more punishment, you have either completely misunderstood the intent of GDPR, or you have something to gain from it (see bullet 1). It’s supposed to be a law to protect a human right of every man, woman and child, not a punishment.

Re: Bullet 3.; The graphic below perfectly sums up people’s attitude towards GDPR. It represents the number of ‘Sessions’ per month my blog has received since I first started blogging back in 2015:

Blog Sessions
Blog Sessions

Have one guess where May 25th is?

I started writing about GDPR in the middle of 2017 (beginning of the ‘mountain’) and didn’t really slow down until late 2018 (back to normal). I’d like to believe that this enormous drop was indicative of the interest in GDPR rather a reflection on my crap content. I think the coincidence is just too great to be the latter, but you never know.

In other words, May 25th was seen as a deadline. Once it passed most people thought they had dodged a bullet with everything now going back to normal.

To be clear, business under the GDPR IS the new normal. Conducting business will never go back to the way it was, and you will never again be able to process other people’s personal data outside of the 7 Principles laid down in Article 5. If you try, you’re exactly the kind of organisation the GDPR was written to defend people against.  

That said, you can [almost] be forgiven in thinking that GDPR has already had a significant impact; How tired are you of pop-up banners, privacy policies and choosing your cookie settings? Is this not an indication that organisations are taking GDPR seriously?

Actually, no, it isn’t. For a start this ‘cookie stuff’ has far more to do e-Privacy which isn’t even a law [yet], and from everything I’ve seen this ‘Internet-facing’ effort is nothing more than smoke and mirrors. Underlying processes have not changed, nor most organisations ability to demonstrate GDPR compliance effectively. All they have done is dropped themselves below the radar.

But that’s kinda the point; they HAVE done something, while those who continue to do nothing at all are setting themselves for some very hard conversations. We are now at year 20-ish since data protection was included in EU national law(s) (the Data Protection Directive), 3 years since the final draft of the GDPR was signed into EU law, and a year since it became enforced. If you have still done nothing, bad things are heading your way. This is also good.

Some final thoughts:

  • No, I do not think the GDPR is perfect, and yes, I would like to see a lot more guidance on things like ‘Representatives’ and ‘Certifications’, but we were never going to see 28 separate countries agree on the way forward these things so soon. It is still early days;
  • The GDPR was not enacted against business, it was enacted FOR you!
  • My entirely amateur opinions on data protection / privacy have been far more popular than on any subject I actually know something about, which is more than a little depressing.

If there’s one takeaway from this otherwise meaningless blog, it’s that it IS still early days in the enforcement of ‘GDPR compliance’, don’t waste this opportunity by doing nothing at all. The first steps are clear, and you don’t need a data protection expert to begin; GDPR: Getting to the Lawful Basis for Processing

[If you liked this article, please share! Want more like it, subscribe!]

* For perspective, €50M is roughly 0.05% of Google’s global revenue, a 4% fine would be over €4 BILLION.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.