GDPR: a first gap between early adopters and latecomers
What are the first reactions to the GDPR?
The General Data Protection Regulation (GDPR), which came into force on 25 May this year, is already a source of disparity. While some companies have already received their first GDPR sanctions, others see it as a way to improve their personal data management.
A real gap in terms of consequences, just like the one observed within the market of online advertising players. According to a study carried out by Cliqz and Ghostery, Google, the sector leader, with the means to anticipate and highlight its supposedly exemplary compliance with the GDPR, has seen its growth increase by 1%. This was to the detriment of smaller entities in this same sector, which lost 18% to 31% of their reach on the web: having not sufficiently demonstrated their adaptation to the new regulatory framework, they were abandoned by site owners anxious to avoid any penalties. Obviously, this gap between pioneering organisations and laggards is not confined to this simple sector of activity…
The first GDPR penalties
400,000 is the amount of the first fine imposed following the implementation of the GDPR. A penalty from the CNPD (Portuguese equivalent of the CNIL) against a hospital near Lisbon following three breaches of the new regulation.
Of course, French companies are not exempt from these requirements: five companies in the Humanis and Malakoff-Médéric groups have been served with formal notice by the CNIL for misappropriating personal data intended for the management of pension contributions and benefits for the purposes of canvassing.
Even the international giants are not immune, like Twitter. First suspected by a British researcher of violating the GDPR, the social network is now being investigated by the Irish Data Protection Authority, risking GDPR sanctions.
But unlike these three prominent examples, other firms have not waited for potential GDPR sanctions to comply with these new data protection requirements. Some have rightly seen it as an opportunity to gain efficiency and multiple benefits.
The benefits of compliance
The compliance process can be extremely tedious, to the point of requiring 12 to 36 months of work for social and medico-social actors, according to a Ressourcial report. This has not prevented some actors in the sector from quickly getting down to work in order to avoid possible GDPR sanctions. As the data protection officer of one of them points out, this is “a way of identifying ways of improving operational performance and sources of economies of scale, for example in data storage or the rationalisation of applications and systems”.
For other business areas, such as the remote distribution of office equipment, the implementation of the GDPR also represents a “huge undertaking”. However, for Pierre-Olivier Brival, Managing Director of Manutan, this is a real opportunity to “harmonise practices, rationalise tools and accelerate the digitalisation of the company”. The result is a database that is “easier to secure” and “usable without error”, whereas previously the management of the data collected was often chaotic.
The various advantages of adjusting to this recent regulation are also evident in the banking and insurance sector, notably for the Société Générale group. Its DPO, Antoine Pichot, had already noticed beforehand a “parallel between the GDPR requirements and customer expectations as they emerge from satisfaction surveys”, to the point of applying himself to carrying out “actions that make sense from a customer marketing and legal point of view”, considering that “the work of the DPO channel contributes to the group’s customer relations strategy and to the reinforcement of [its] position as a trusted third party”.
Given this set of potential benefits, it would be unwise for a company to miss the boat, especially as the first sanctions are beginning to be pronounced: the risk of a fine of up to €20 million or 4% of global turnover is very real. To avoid the risk of GDPR sanctions, and even to transform this constraint into an opportunity, innovative solutions exist:
Fair&Smart offers organisations solutions for managing GDPR compliance, in particular for collecting consent and managing responses to requests to exercise rights.