GDPR: What assessment one year later?
Implemented on 25 May 2018, the General Data Protection Regulation (GDPR) caused a lot of ink to flow on its first anniversary. One month later, and with a little more hindsight, we draw up a general assessment of its achievements and prospects.
A mixed record for the French
More than 11,900 complaints addressed to the CNIL, i.e. an increase of 30% between May 2018 and May 2019, 2,044 data breach notifications, approximately 19,000 data protection officers appointed by more than 53,000 organisations, 8.1 million visits to its website… These French statistics published by the administrative authority are edifying, and for good reason, 70% of the French people now say they are more aware of data protection issues, it then reminds us in its famous assessment of the first year of application of the GDPR. The consequences of this increased awareness among citizens are varied: according to an Odoxa survey, 76% of French people say they are concerned about the collection of their data and the use of this data by websites or e-commerce sites. This concern leads some to be wary: although 42% of them find personalised advertising well targeted, only 41% of them now say they appreciate it, compared to 50% in 2015. Their fears also concern the big digital players such as Facebook or Google, which 57% do not trust to better protect their personal data, despite the two companies’ recent statements in favour of data privacy.
The global European reaction to the GDPR
Obviously, this phenomenon is far from being exclusively French and has spread throughout much of the European Union. At the European level, the CNIL reports 144,376 complaints, 89,271 data breach notifications, and significant cooperation with all of its counterparts on 1,013 procedures involving several thousand people. The European Commission, for its part, mentioned in a press release 400 cross-border cases as well as a significant progress in the process of raising citizens’ awareness of the GDPR: 67% of Europeans have already heard of the RGPD, and among the 57% of them who are aware of the existence of an administrative authority in their country responsible for their rights concerning their personal data (compared to 37% in 2015), 20% know precisely which one it is. This development and these statistics are proof of the relevance of such regulations, which are beginning to develop beyond the European Union and to have a global influence.
Across the Atlantic, private and public players in favour of data protection
Several large American companies have distinguished themselves by declaring themselves in favour of protecting their users’ personal data. Some have even taken action to manage their data more respectfully.
Apple was undoubtedly the first of the GAFAMs to take a stand in this way, notably via one of its advertising spots with the evocative name “Privacy”. Tim Cook, its boss, had repeatedly defended a personal data management model in the United States similar to the European GDPR.
Google’s CEO, Sundar Pichai, was quick to respond, explaining the importance of data protection for his company and criticising Apple’s policy of “luxury privacy” reserved for its high-end products. Google’s recent data privacy innovations include an option for users to choose to automatically delete their personal data after 3 or 18 months, a new mobile operating system, Android Q, that will better protect users’ personal data, and the opening of a global data security centre in Munich.
Facebook and Microsoft are not to be outdone, with the social network planning to set up an independent committee to protect the privacy of its users, and the famous IT multinational having taken the initiative of separating the data it collects into two categories, required and optional, and allowing users to deactivate the collection of so-called optional data. Obviously, these advances are not without interest: smaller players have fewer resources to inject into their compliance and communication on this subject. The web giants are therefore taking advantage of their popularity to reinforce their domination and to obtain the “General Data Protection Regulation” more easily from Internet users who have a very positive perception of companies with a policy of security and respect for privacy. Despite this, these are positive developments, especially as this trend is not limited to private companies, but to many countries.
International awareness
“The influence of the GDPR principles extends beyond Europe. From Chile to Japan, Brazil, South Korea, Argentina and Kenya, we are witnessing the emergence of new privacy laws based on strong safeguards, enforceable individual rights and independent supervisory authorities,” said the European Commission in its statement. So by 2022, almost 50% of the world’s population should be living under the protection of a regulation similar to the GDPR, compared to only 10% today. While the European Union has proposed to the World Trade Organisation a text providing for an international regulation on data protection, the debate is particularly present in the United States once again, a few months before the California Consumer Privacy Act comes into force. Elizabeth Warren, a Democratic senator, had tabled a bill providing for prison sentences for the directors of large companies who are negligent in protecting personal data. The founder of the privacy-friendly search engine DuckDuckGo, Gabriel Weinberg, has also drafted a bill called the “Do Not Track Act”, which aims to require websites to respect the ban on tracking, often materialised in browsers and search engines by activating a function called Do Not Track.
Mentalities therefore seem to be evolving and converging towards a desire to develop legislation similar to the GDPR on a global scale. At the same time, there are many disparities with regard to this regulation within the European Union and the States that apply it.
RGPD: still significant disparities
Following the General Data Protection Regulation, the different economic actors adopt different reactions: between lack of financial means, lack of attraction to the subject or even the lack of understanding of it, discover the existing disparities.
Diverging appeal depending on the country
In the European Union, three countries are behind and have still not implemented the GDPR in their national legislation: Greece, Portugal and Slovenia. A survey of 287,571 consumers worldwide by Ogury reveals that only 20% of respondents say they have a better understanding of how companies use their data, 33% do not, and 47% do not even know about the regulation. As for the “General Data Protection Regulation”, 78% of respondents do not read the collection forms completely, and 52% worldwide (58% in Europe) do not understand the use of their data despite reading the forms. As for the French, the Odoxa survey indicates that 50% of them do not read the legal notices, which are incomprehensible and complex to decipher.
Citizens’ trust in their employers in terms of the security of their personal data also varies: while 56% of Europeans say that their data is stored responsibly and securely by their employers, only 43% of the French think so, with a third worrying about the protection of their data, and 7% fearing that too much data is stored without their “General Data Protection Regulation”.
Focus on the private sector
Moreover, more affected than large companies, VSE-SMEs and start-ups are still struggling with complex regulations to apply. A study conducted by Kapersky Lab at the end of 2018 among 700 SME decision-makers reveals that 50% of them have not strengthened their security measures, that 77% have not carried out a security audit, and that half do not train their employees in personal data protection and cybersecurity issues. A second OpinionWay survey of 500 heads of companies with less than 250 employees informs us that of the 48% who are still not sure they are compliant, 14% know that they are not complying with the new regulation, due to a lack of time, support and resources to make a proper transition. Difficulties that seem to be proportional to the size of the company, the smaller they are, the more difficult they find it to apply the RGPD: while 49% of companies with less than 10 employees are worried about this regulation, this is the case for only 28% of companies with more than 150 employees.
Start-ups are also experiencing some difficulties in complying with the RGPD. According to the “Start up Legal Scanner” study of the Murielle Cahen law firm carried out on 185 start-ups between 3 and 10 years old:
77% of them do not comply with the obligation to publish the new regulation on a page of their websites. Although it is mandatory to include the name of the director or co-director of publication in the legal notice, only 49.5% do so. Only 37.6% have published General Conditions of Use or General Conditions of Sale on their websites. This information, which is compulsory, allows users to be aware of the conditions of use, sale, and their rights and obligations when purchasing a product or service on the site concerned. Only 32% of start-up sites provide users with information on the legal channels to follow in the event of a dispute. This information enables individuals to take legal action in the right way in the event of a dispute. 45% of the sites display a limitation of liability clause in their legal notices in certain cases, and 2% of the sites in question contain a clause with an incorrect explanation.
These shortcomings are easily explained by start-ups that prioritise their economic growth over optimising their compliance with the various regulations.
Towards an end to CNIL tolerances
If the first year was still considered as a transition period for the compliance of organisations, companies have every interest in fully respecting the RGPD. The year 2019 marks the end of a certain tolerance due to the novelty of the text for the CNIL, which has indicated that it will therefore “fully verify compliance with the new requirements” and “will, if necessary, draw all the consequences, including in terms of sanctions”. Marie-Laure Denis, who succeeded Isabelle Falque-Pierrotin as president of the administrative authority, supported this statement: “regulatory action can only be effective if we use the two levers at our disposal in equal measure, i.e. education on the one hand and control, possibly with sanctions, on the other.
In order to help companies to comply and to build trust, Fair&Smart offers turnkey solutions for the management of the General Data Protection Regulation (GDPR) and the exercise of the GDPR right.
If you would like to learn more about Fair&Smart and our personal data management solutions, click on the button below:
Follow us on social networks:
