January 28 was International Privacy Day, the perfect day to explore the impact of GDPR on the protection of privacy in the post GDPR era.
A bit over 6 months ago, on May 25, GDPR (General Data Protection Regulation) became enforceable all over Europe. The GDPR aims primarily to give control to individuals over their personal data. It also addresses the export of personal data outside the EU and EEA areas.
As a breach of GDPR might result in sanctions reaching up to 4% of the previous fiscal year’s turnover, one would think that the main concern of companies would be to comply in order to avoid facing fines.
Yet, Bart Willemsen — Senior Director Analyst at Gartner, commented at the January 28 “2019 Privacy Predictions” event in Tel Aviv, that, to his surprise, companies’ fear of sanctions was only the third on the list of preoccupation when looking at overhauling their privacy governance.
Though some companies simply window-dressed their websites by simply modifying their terms and conditions to appear to be GDPR compliant without modifying anything in their data collection and storage mechanism, organizations that are serious about granting their users’ privacy the respect it deserves have more pressing concerns than simply avoiding sanctions resulting from non-compliance with GDPR.
Foremost amongst those concerns is losing customers, from two very different angles — Displaying an unwelcoming privacy UX that would drive users away, or experiencing a catastrophic data breach that would tarnish the company’s brand name.
One of the side-effects of GDPR implementation was the proliferation of intrusive pop-up windows requesting users’ consent, depreciating the initial investment in UX design. Optimizing user retention in GDPR age should integrate dedicated Privacy UX as a fundamental part of design development rather than mimic the corrective solutions that dominate user interface today.
Catastrophic data breaches exposing dozens or hundreds of millions user’s info are increasingly making their way to the front page, with various degree of nefarious consequences for the affected people. Equifax debacle left victims open to identity theft and led to the subsequent financial ruin of several of them, Cambridge Analytica insidious snooping had a direct influence on election results, the Marriot Hotel breach is suspected to be at the hand of China for spying purposes. These are only a sampling of infamous security breaches that made the frontline.
According to Limor Shmerling Magazanik — Managing Director at Israel Tech Policy Institute, such events are effective in raising awareness amongst the general public of the need to be cautious about clicking on anything and be aware of potentially suspicious content. However, online security is a low priority in the average citizen daily life which implies responsible organizations have to deflect potential exploits from users and employees alike.
On a political level, though the GDPR is compulsory in the EU and EEA (Europe Economic Alliance), its effect goes far beyond the borders of its administrative reach. As any companies wishing to conduct business with EU or EEA based counterparts are required to provide GDPR compliant data protection for data subject within that area, countries the world over are increasingly following GDPR model with some local adjustments. For example, Brazil basically copy-pasted its Portuguese translation and Kenya Data and Kenya’s Data Protection Bill is largely modeled on GDPR.
In the USA, whereas Congress is more focused on the issues stemming from data security breaches, non-elected bodies such as the National Telecommunications and Information Administration (NTIA) are actively exploring the topic. NIST published a request for public comments on developing an “Approach to Consumer Privacy” followed by a request for information (RFI) seeking public comments on NIST’s efforts to develop a Privacy Framework. At State level, California made headlines last June when it enacted the California Consumer Privacy Act (“CCPA”), a comprehensive GDPR-like privacy law that will bring fundamental privacy protections to 40 million Californians starting in 2020 and several other U.S. jurisdictions are taking notable steps that will have privacy implications in years to come.
Some countries, however, are not likely to embrace any such privacy concern any time soon. China and Russia approach of privacy are radically different from those of the Western World and, as international trade at a private level in their jurisdiction is limited by design, they have no economic incentive to enact GDPR like regulations.
As the GDPR effect is gaining ground around the globe, organizations hoping for a global (minus China and Russia) standard to emerge will have to pay extra care to fine-tune their policies to be compliant globally despite the variations in privacy protection regulations.
As the age of surveillance capitalism is maturing and the importance of controlling personal data is gradually permeating individual consciousness, proper management and of personal data is becoming increasingly significant.
If you liked this article, feel free to clap generously and share with those of your friends who might be interested. Thank you