Happy GDPR day: Marking the anniversary of a controversial internet sensation

by Philipp Requat (Requat Advisory Insight)

One year after its EU-wide implementation, the bloc’s landmark data protection regime remains a source of confusion

There was a palpable sense of dread surrounding the activation of the General Data Protection Regulation (GDPR) in the European Union (EU) exactly one year ago today. Even on the other side of the world, California-based search engine and social media behemoths railed against a set of rules which they warned would stifle growth and innovation. Organisations that had failed to update their internal policies before May 25th 2018 entered a new era of data protection fearing the imposition of hefty fines by regulators.

As a political economist who spends an unhealthy amount of his time thinking about governance issues of the single market, I began to receive calls for help in the wake of GDPR-day. I tried to reassure some clients bordering on hysteria that, unless they happened to derive the bulk of their income from personalised online advertising, there was little reason to fear the latest standards.

Of course, it does seem fitting for an EU which is regularly depicted as a bureaucratic monster by its critics that its biggest internet sensation to date is an 88-page legal text years in the making. Several representatives of the bloc’s Brussels-based institutions have told me, independently of each other and with genuine pride, that GDPR displaced someone called Kim Kardashian as the most-googled search word of the year 2018. Yet in spite of all of this attention, popular (mis)understanding of the rules continues to be strongly influenced by two myths which do not hold up to scrutiny.

Firstly, given the international shock expressed at arrival of the GDPR, you might be tempted to believe that it was sprung on the globe-spanning community of data controllers, data processors and data subjects as a malicious surprise. In fact, GDPR hardly emerged out of a regulatory vacuum. A first major attempt to harmonise national European laws on the subject was made with the European Data Protection Directive in 1995 which in turn incorporated many principles of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data adopted by the European Council in 1981.

The commercialisation of the internet, and the resulting rise of Big Data as a novel business model, has since undeniably witnessed a dramatic increase in the saliency of ensuring that potentially sensitive information about citizens is stored and used appropriately. While the bulk of the GDPR’s body mirrors its directive predecessor, the regulation consequently also contains important changes with regards to liability of data processors, as well as the territorial reach of the rules. The 1995 Data Protection Directive had to be enacted into the laws of individual member states by their respective governments leading to variation across the bloc. By contrast, the regulation applied automatically and uniformly across the entirety of the EU from May 25th (and EEA members from July 18th) last year.

It is worth noting that some of the fiercest critics of the GDPR changed their tone significantly once it became a fait accompli. Keen to shake off its image as the Billy the Kid of a digital Wild West, Facebook is now encouraging other jurisdictions to follow the EU’s example on strict data protection standards in order to prevent a regulatory Balkanization of the internet. Earlier this month, Google announced the opening of a ‘global hub for privacy engineering’ in Munich, citing the notoriously uncompromising stance of German authorities on data protection as having inspired the specific choice of location.

Whereas members of the elite club of U.S. tech giants thus appear to be warming to the GDPR then, a wave of knee-jerk reactions by smaller and less IT-focused organisations highlights a second important misunderstanding about the regulation. GDPR compliance is not just a box that one can tick like the cookie consent forms which have proliferated on websites. It is a principles-based, instead of a prescriptive, system. Organisations must learn and continuously act in accordance with these relatively intuitive principles when handling personal data in a manner which reflects six ‘fair processing grounds’.

If this has created an unwelcome and unprecedented regulatory burden, it is only because similar legislation which was previously in place was harder to enforce. The eye-catching potential fines of up to 4% of global revenue are likely to be rare, but the newly-created Lead Supervisory Authorities in individual members states have also been handed a host of more subtle sanctions to hold to those who fail to assume their data protection responsibilities to account. Although organisations may require advice from specialists to ward off this threat, such assistance should ideally result in the establishment of an internal GDPR regime in which processing decisions can be made independently and with confidence.

Instead of being a mere nuisance, a society which becomes more data protection-savvy as a result of effective legislation stands to benefit us all. As consumers and citizens, we can rest assured that hard-won individual personality and privacy rights are protected in both analogue and digital realms. The Cambridge Analytica scandal is a recent and powerful reminder of how intertwined the health of our democracies has become with the governance of the internet. For businesses with slightly more mundane concerns, correct data processing is also an integral part of their wider IT security infrastructure. The GDPR forces managers to pay closer attention to how potentially sensitive information about workers and customers is stored, used and accessed on internal networks and the cloud. Making a serious effort to comply with the regulation can prevent damaging accidental leaks of European data and draw a first line of defence against growing phenomenon of cyber-crime.