4 years on, it is starting to look like the introduction of the GDPR has not been the decisive moment for data privacy many were expecting.
At every anniversary, a number of articles emerge assessing the impact GDPR might have had on business.
4 years into it — 6 since it was approved — and in spite of the peculiar business context created by the Covid pandemic and its aftermath, we may be reaching a point where it starts to make sense to look back, although I may warn the reader that this is going to read a lot like what we have been writing year after year since 2017 in these columns and elsewhere.
Frankly, I am struggling to see clear, tangible, long-term positive aspects.
Except for the many tech firms and tech consultancies which have undoubtedly and shamelessly surfed the huge compliance wave it created and would have made significant money out of it.
The clearer positive aspect I could see is that it might have triggered the emergence of comparable legislations and regulations around the world, by showing the way to local law makers — and giving them a practical example to work from. This is probably most apparent in the US where state legislations have been emerging, even if their lack of consistency is starting to cause concern.
Otherwise, I think quite a lot still hinges on enforcement, as we have been saying clearly since 2018 with the Security Transformation Research Foundation.
Fines have been rising but are still nowhere the maximum of 4% of global turnover around which countless compliance alignment programmes have been justified. Some have been successfully challenged and overturned.
Even where regulators have been trying to flex their muscles — for example in the UK with the Marriott and British Airways fines which were in the region or in excess of £100 million when first proposed — the Covid pandemic has changed the context, forcing the regulators to revise those down, towards a far more palatable £20 million mark. This was a significant landmark case, on which we commented at the time, which was probably overlooked by many.
By failing to create clear sizeable cases against which the regulation can establish itself and evolve, the regulators have somehow limited themselves to relatively minor offenses which — in the end — downgrades their role and their action.
The anticipated actions against big tech firms have not been anywhere near the level where the fines would be painful.
Only the Schrems II ruling has created a significant amount of buzz, but shadows still hang over its actual enforcement.
As a matter of fact, GDPR has changed very little in the attitude of large organisations towards data privacy in my experience.
Let’s not forget that most of the regulation was already in domestic laws and had been for several decades.
Firms which were taking it seriously before were not far from compliance and have continued to take it seriously; those which didn’t, have continued not to, and — to a large extent — have treated compliance at best as a legal box-ticking exercise, at worst, as a matter of regulatory risk, effectively balancing the — relatively low — chance of a large fine against the — large and real — cost of alignment.
The role of the regulators remains key, and until a genuinely big case emerges and is taken through due process by its actors and the courts, nothing will change.
So far, irrespective of resources and funding issues, faced by a complex dilemma between the upwards pressure of activist lobbies and the downwards pressure of business lobbies, the regulators have chosen a dangerous middle-ground.
Consumer sentiment is continuing to shift slowly towards a greater emphasis on privacy matters, but the Covid pandemic has forced the world into an accelerated digital transformation and a phase of rapid change around social and working patterns, which didn’t have necessarily data privacy at its core, as the debate around tracing apps has highlighted.
It feels like we might still be in a holding pattern, but one thing is clear: The introduction of the GDPR has not been a decisive moment for data privacy.
JC Gaillard
Founder & CEO
Corix Partners
Contact Corix Partners to find out more about developing a successful Cyber Security Practice for your business.
Corix Partners is a Boutique Management Consultancy Firm and Thought-Leadership Platform, focused on assisting CIOs and other C-level executives in resolving Cyber Security Strategy, Organisation & Governance challenges.