The EU’s General Data Protection Regulation (GDPR) is the most far-reaching privacy regulation in the world, according to Frank Trautwein, co-founder of data protection consultancy Fresh Compliance.
“The GDPR represents data protection best practice and is driving data protection maturity throughout the EU and beyond,” he told Consumer Identity World Europe in Amsterdam.
Data protection legislation outside the EU is being influenced by the GDPR, with similar legislation now beginning to be enacted and drafted in many countries worldwide.
“New privacy legislation introduced in the US state of California in June 2018 and in Brazil in August 2018 are the closest to the GDPR so far,” said Trautwein.
In addition to driving data protection maturity in organisations, he said it is also helping to raise consumer data protection awareness and expectations, with a Janrain study showing that 69% of US consumers would like to see GDPR-like laws in the US.
The most obvious effect of the GDPR in the European Union in terms of driving better data practices, said Trautwein, was the almost immediate decrease in the number of EU websites using third-party trackers.
The other immediately obvious effect was that there was an increase in complaints and queries by individuals and organisations made to data protection authorities.
Some data protection authorities have become inundated since the GDPR went into effect, with an average increase of 50% in demand for responses across all EU member countries.
“The German supervisory authority, for example, is currently taking months to respond to questions from consumers and businesses,” said Trautwein.
“Another effect has been that organisations have matured over the past five months, although the most mature organisations are in the financial and other highly regulated sectors or are based in countries like Germany where strict privacy laws were in place before the GDPR,” he said.
Out of the more than 100 GDPR projects he has worked on that were mostly in Germany, Trautwein said only 20% of companies had a high risk of failing GDPR compliance and needed to take immediate action to mitigate risks. Most companies (60%) had only medium risk and 20% were low risk.
However, data shows that after a two-year implementation phase and five months after the GDPR came into full force, some organisations are still not up to speed and still have work to do.
“One study shows that only 60% of EU organisations have significantly changed their workflows for collecting, using and protecting personal data as a result of the GDPR,” said Trautwein.
While Deloitte data shows that only 35% of organisations have GDPR-aligned data breach reporting processes in place, which he said is risky in the light of the GDPR requirement to report a personal data breach within 72 hours of becoming aware of it.
In closing, Trautwein said that hopefully the trend of following the EU’s example in the GDPR will continue to grow around the world because it is a best-practice approach that tackles the right questions.
“This best-practice approach has already resulted in some improvements, such as the in California Consumer Privacy Act, for example, where the definition of personal data is much clearer than in the GDPR,” he said.
According to Trautwein, there is already recognition by EU-level and national law makers that there is room for improvement and they are already working on making changes.
“This is something that lawmakers, not only in European member states, but also on an international level can work together on,” he said.
When asked why there have been no significant fines under the GDPR to date, Trautwein said the first significant fines are likely to be levied only in 2019.
“There are still several court cases and investigations going on involving big companies and we may see some of the first big fines only next year,” he said.