Thinkers360

4 years after its introduction, where are we now with GDPR?

Aug



4 years on, it is starting to look like the introduction of the GDPR has not been the decisive moment for data privacy many were expecting.

What has happened? What has not? … At every anniversary, a number of articles emerge assessing the impact GDPR might have had on business.

We have asked Corix Partners founder and global cyber security and privacy influencer JC Gaillard to give us his views on this matter and to share with us his assessment of the forthcoming evolutions of the data privacy regulatory landscape.

 

There is still a significant amount of interest around the GDPR; do you think the time is right to look back at what happened since 2018, and what are the most positive aspects the introduction of the regulation has triggered, in your view?

4 years into it – 6 since it was approved – and in spite of the peculiar business context created by the Covid pandemic and its aftermath, we may be reaching a point where it starts to make sense to look back, although I may warn the reader that this is going to sound a lot like what we have been writing year after year since 2017 on the Corix blog and elsewhere.

Frankly, I am struggling to see clear, tangible, long-term positive aspects.

Except for the many tech firms and tech consultancies which have undoubtedly and shamelessly surfed the huge compliance wave it created and would have made significant money out of it.

The clearer positive aspect I could see is that it might have triggered the emergence of comparable legislations and regulations around the world, by showing the way to local law makers – and giving them a practical example to work from. This is probably most apparent in the US where state legislations have been emerging, even if their lack of consistency is starting to cause concern.

Otherwise, I think quite a lot still hinges on enforcement, as we have been saying clearly since 2018 with the Security Transformation Research Foundation.

 

You say a lot still hinges on enforcement, but the privacy regulators have been quite active and many significant fines have been handed out across Europe…

Fines have been rising but are still nowhere the maximum of 4% of global turnover around which countless compliance alignment programmes have been justified. And some have been successfully challenged and overturned.

Even where regulators have been trying to flex their muscles – for example in the UK with the Marriott and British Airways fines which were in the region or in excess of £100 million when first proposed – the Covid pandemic has changed the context, forcing the regulators to revise those down, towards a far more palatable £20 million mark. This was a significant landmark case, on which we commented at the time, which was probably overlooked by many.

By failing to create clear sizeable cases against which the regulation can establish itself and evolve, the regulators have somehow limited themselves to relatively minor offenses which – in the end – downgrades their role and their action.

The anticipated actions against big tech firms have not been anywhere near the level where the fines would be painful.

Only the Schrems II ruling has created a significant amount of buzz, but shadows still hang over its actual enforcement.

 

Do you think the introduction of the GDPR has radically changed the dynamics surrounding data privacy, in particular in the corporate world?

As a matter of fact, GDPR has changed very little in the attitude of large organisations towards data privacy in my experience.

Let’s not forget that most of the regulation was already in domestic laws and had been for several decades.

Firms which were taking it seriously before were not far from compliance and have continued to take it seriously; those which didn’t, have continued not to, and – to a large extent – have treated compliance at best as a legal box-ticking exercise, at worst, as a matter of regulatory risk, effectively balancing the – relatively low – chance of a large fine against the – large and real – cost of alignment.

 

What’s key to move this forward?

The role of the regulators remains key, and until a genuinely big case emerges and is taken through due process by its actors and the courts, nothing will change.

So far, irrespective of resources and funding issues, faced by a complex dilemma between the upwards pressure of activist lobbies and the downwards pressure of business lobbies, the regulators have chosen a dangerous middle-ground.

Consumer sentiment is continuing to shift slowly towards a greater emphasis on privacy matters, but the Covid pandemic has forced the world into an accelerated digital transformation and a phase of rapid change around social and working patterns, which didn’t have necessarily data privacy at its core, as the debate around tracing apps has highlighted.

It feels like we might still be in a holding pattern, but one thing is clear: The introduction of the GDPR has not been a decisive moment for data privacy.

 

By Jean-Christophe Gaillard

Keywords: Leadership, Management, Privacy

Share this article
Search
How do I climb the Thinkers360 thought leadership leaderboards?
What enterprise services are offered by Thinkers360?
How can I run a B2B Influencer Marketing campaign on Thinkers360?