GDPR : a first gap between early birds and latecomers

gdpr early birds latecomers

Implemented on May 25th, the European General Data Protection Regulation (GDPR) is already leading to disparities. While it brought on first sanctions against a few companies, it is a source of improvements in the management of personal data for others.

It makes a real difference in terms of consequences, like the ones observed  in the online advertising industry. According to a study conducted by Cliqz and Ghostery, Google, leader in this area, which could  afford to get involved early and highlight its supposed exemplary GDPR compliance, shows its growth increased by 1%. This at the expense of smaller entities from the same sector, which lost 18% to 31% of their reach on the web. Having not sufficiently demonstrated their adaptation to the new regulation, they are left aside  by site owners eager to avoid any penalty. Obviously, this gap between pioneering organizations and latecomers is not confined to this sector…

First substantial sanctions

€ 400,000 is the amount of the first fine following the enforcement  of the GDPR. A penalty imposed by the CNPD (Portuguese equivalent of the CNIL) to a hospital center near Lisbon, following three violations of the new regulation.

Of course, French companies may also be affected : five subsidiary companies of Humanis and Malakoff-Médéric received a formal notice by the CNIL for a misappropriation, for prospecting purposes, of personal data intended for the management of contributions and retirement allowances.

Even international giants are not immune, like Twitter. Firstly suspected by a British researcher to not respecting the GDPR, the social network is now under investigation by the Irish data protection authority.

But unlike these three outstanding examples, other firms did not wait for a possible penalty before properly complying with these new requirements about personal data. Some of them even rightly identified opportunities of improvement and multiple benefits.

The benefits of compliance

While the process of compliance can be extremely laborious, requiring sometimes a work duration of 12 to 36 months for welfare and medical organizations according to a finding of Ressourcial, it  did not prevent some structures to briefly get up to date. A data protection officer of the sector foresees “in the long term, a way to identify ways to improve operational performance and reduce expenses, for example on data storage or streamlining of applications and systems “.

For other sectors, such as remote distribution of office equipment, the implementation of the GDPR is also representing a “huge project”. However, for the general manager of the company Manutan, Pierre-Olivier Brival, it is yet a real opportunity to “harmonize practices, streamline tools and accelerate digitalization of the company” . An evolution resulting in a database “simpler to secure” and “usable without error”, while the management of data previously collected showed himself often chaotic.

Adjustments to this recent regulation also leaded to various benefits in the banking and insurance area, particularly for Société Générale Group. Its DPO, Antoine Pichot, had already noticed beforehand a “parallel between requirements of the GDPR and expectations of the customers as they emerge from satisfaction studies”, to the point to leading “actions that make sense from legal and marketing point of view as well”, considering that ‘the work of the DPO branch contributes to the group’s customer relations strategy and reinforces [its] position as a trusted third party”.

Given all these potential benefits, it would be unwise for a company to miss the mark, especially as first sanctions come true: the risk of a fine up to 20 million euros or4% of global turnover is a reality. To make sure to undermine that risk, and even benefit from this new regulation, innovative dedicated solutions are available: Fair&Smart offers organizations premium solutions for handling the B2C aspects of GDPR compliance, particularly  consents management and GDPR rights requests processing.