GDPR is upon us, should Businesses be Worried?

Over the past few months, a slew of emails requesting confirmation of new privacy policy terms has no doubt inundated the inboxes of most EU citizens. Behind this most visible harbinger of GDPR organisations have been engaged in the vast undertaking of ensuring GDPR compliance. GDPR has been enforceable from 25th May 2018, and the question is what happens now - what will be the benefits for individuals and what are the possible issues for businesses?

GDPR is EU legislation that aims to keep pace with advances in digitisation by strengthening data privacy laws across Europe. The GDPR documentation is convoluted and the principles can seem somewhat abstract. As such, many individuals may be uncertain of what it means for them, while many businesses may have struggled to prepare.

Regarding individuals, a key benefit relates to clarity and consent in data processing. Gone are the days of unintelligible tick-box forms and the resulting nuisance cold calls. Organisations will need to acquire explicit consent from individuals regarding the processing of their data, and the terms need to be presented in “clear and plain language." Users are also empowered through The Right to Access and The Right to be Forgotten. These principles allow individuals both to obtain information from organisations relating to the use of their data and to compel organisations to remove this data.

While these provisions are now in place, the aggregate benefit will depend on the willingness of citizens to exercise their new rights. This, in turn, relies on an awareness amongst individuals of why they might want control over their data, a theme usefully publicised through the recent Facebook and Cambridge Analytica data scandal.

Regarding business readiness, there is significant doubt that all companies are compliant. A key issue is ambiguity. According to Alison Cool, a professor of anthropology and IT at the University of Colorado, GDPR is “staggeringly complex” and practically incomprehensible to those trying to comply with it. She further argues that the regulation was made intentionally ambiguous through the use of broad principles to facilitate compromise amongst the EU28. The regulation will be clarified through European courts. Indeed as I write Facebook and Google are already facing GDPR lawsuits. Norms will be established through observing who regulators go after and what kind of penalties they’ll levy. The harshest penalty is a fine of up to 4% of global revenue - not profit.

In sum, it seems that the unique combination of citizens’ proactiveness in utilising their rights, the nature of lawsuits filed, and the discretion of regulators in charting the legal territory, will delineate the intricacies of GDPR. In the meantime, while businesses may hope that European regulators give them a honeymoon period, it is likely that there will be some losers.

For GDPR advisory services please contact Alexander Shayler: