A year has passed since the General Data Protection Regulation (GDPR) came into effect on 25 May 2018. It was said that GDPR would cause a revolution in the processing of personal data and would hand back to European citizens the control and ownership over their personal data and thus, by extension, over their own person.
According to some, GDPR would turn Europe into “the center of trust” or “a gold standard” in which internet giants Google, Amazon, Facebook and Apple (Gafa for friends) would incur monster fines of 4% of their worldwide turnover, which would force them to respect the rights European citizens , which in turn would create e level playing field that would allow small European companies to better compete with these international giants who had always chosen to operate outside the EU.
From day one, opponents emphasize the heavy administrative burden that GDPR entails, not only for multinationals, but also for small and medium-sized entrepreneurs.
Now one year later, it is time to make a first balance and to test those big dreams against reality: is GDPR a burden or an opportunity for entrepreneurs?
The first balance for Belgium
The experience of the past year, especially here in Belgium, seems to indicate that the balloon that was filled with hot air last year has deflated with a sizzler. In the past year, Belgium has had no investigations by the DPA, no fines, hardly any complaints, and the reality is that, with the exception of (most) governments, banks, insurers, multinationals and a handful of well-meaning entrepreneurs with strong ethical (and commercial, as we will see later in this article) understandings, an overwhelming majority of Belgian companies have not or insufficiently implemented GDPR, often based on the argument that no investigations were made by the DPA and certainly no fines were imposed.
This lack of controls had a typically Belgian political reason, by the way, which resulted in the board of the newly established Data Protection Authority not being filled for more than a year due to the typically Belgian language requirements imposed on, among others, the chairman. Ultimately, the GBA has been up and running for two months and Belgium can begin to catch up with our neighboring countries.
All of this, however, has already led to a complete absence of any sense of urgency among Belgian entrepreneurs, so that today we are confronted with the regular question of whether all of this GDPR should actually be taken seriously. Also, we sense a lot of frustration amongst our clients related to the idea that poor thought has been given to the impact that GDPR has on the operation of small businesses and the – at least in the perception of entrepreneurs – immense hassle and administration that all this entails. Processing agreements, DPIAs, information obligations, accountability and all administration that this entails, data breache notification obligations, … A whole series of obligations that cost time, money and energy and which at first sight do not yield any benefits.
No, the GDPR has not exactly nestled in the hearts of entrepreneurs in Belgium in the past year.
And in the other European member states?
The situation is somewhat different in the rest of Europe. According to the first figures of the European Commission, one year of GDPR has lead to 145,000 complaints (of which barely 400 in Belgium or 0.27% of the total number of complaints), very little in a population of more than 500 million inhabitants. For our neighboring country France, market research shows that 44% of citizens do not even know what GDPR is when they are questioned. For Belgium there are no figures for the time being, but the almost unreally low number of complaints in Belgium indicates that GDPR is clearly not alive among Belgian citizens.
However, with its typical political bickering between language communities, Belgium is not even the worst student in the class. With Greece, Slovenia and Portugal, no fewer than three Member States have not even been able to implement the GDPR one year after date. In other Member States, the local Data Protection Authorities complain wholeheartedly about a lack of financial strength and staff to perform controls.
As mentioned, the dreaded monster fines have not been applied to date in Belgium (a first 2.000 euro fine was issued last week to a politician for using peoples e-mail without legal grounds during the recent elections), but in the neighboring countries heavy fines and penalties have been imposed, even though it concerns a limited number of cases. The French CNIL in particular has shown itself to be very active in the past year with some high fines, including for Google, but also in the Netherlands, Germany, Poland, large and smaller companies were confronted with warnings, periodic penalty payments and fines. In total, after one year in the EU, the amount of fines issued adds up to to about 56 million euros.
These fines, however limited in number, have indeed had an effect. The digital giants have started to take the GDPR seriously. The Gafa are the ones who have undoubtedly invested the most in “GDPR compliance”, even though they continue to blow hot and cold at the same time by always opening back doors. For example, Facebook was able to re-introduce its face recognition technology in Europe by now presenting the same technology that was previously found to be too intrusive for privacy as a way of protecting privacy under GDPR.
Small companies, however, are clearly not deterred at all by the risk of sky-high fines. They assume that all the attention of the government is taken up by the fight against Facebook and Google and for many that is the perfect pretext not to get started with GDPR.
GDPR as an opportunity?
It is clear that the above applies a fortiori to Belgium, where until recently no government was even active that could carry out checks or impose fines. Does that mean that Belgian companies are right to lean back and assume that the entire GDPR story will cool without blowing?
Well, we don’t agree with that. What we have learned in the past year is that entrepreneurs who have proactively started working with GDPR often do so from a sense of duty or because they are forced to do so due to the circumstances, for example because customers demand that a processor agreement be signed in which a whole range of information and guarantees must be given that presuppose a prior GDPR compliance exercise or because they work for the government and from that angle compliance with GDPR is imposed as a requirement. However, the same entrepreneurs often become enthusiastic along the way during a GDPR process, as they realize that GDPR not only involves a series of administrative obligations, but that conscious and ethical handling of personal data also benefits their day to day business …
The benefits are multiple
Many companies note that a thorough GDPR impact assessment or audit within their company is not only necessary under GDPR, but that it also provides them with a lot of useful information about their own internal functioning: what data do we actually have internally, where is it dlocated, how do our departments work, how do our departments interact with each other, where are inefficiencies and unnecessary risks, how can we use data in a better or pore efficient way, how can we improve the circulation of data within the company, … All very intersting elements that often stay below radar, but that may prove to be extremely useful in the daily operation of SMEs.
As part of a GDPR internal mapping and audit exercise, other companies suddenly see opportunities popping up: opportunities to exchange data with partners where this did not happen before, opportunities to make better use of existing data and extract more useful learnings, wise lessons with regard to to the overall security policy of the company that go beyond the level of personal data, opportunities to digitize, to implement better security of, for example, trade secrets, to finally reorganize those internal teams that have not been working optimaly in the past and to work together more efficiently … In practive, GDPR often turns out te be a trigger for change management and optimization of business processes.
But the smartest entrepreneurs are those who understand that GDPR compliance is not a burden, but a real commercial opportunity. After all, what GDPR has realized over the past year is a growing awareness among digital citizens about how commercial companies are using their personal data. Citizens – consumers – are increasingly aware that their privacy has “value” and that advertisers are only too happy to know who those consumers are, what they buy, where and when they buy, how they pay, how they think, what they expect, etc.
For a long time, advertisers assumed that personal data was “free” in the air and that they could use it without any restrictions. The whole “big data” hype was all about this: collecting as much data as possible, regardless of whether we actually already know what we are going to do with that data today.
Today, however, a growing awareness among citizens is causing a counter movement. People no longer want to be followed, viewed and analyzed without being asked. They want control over what they share and with whom they share that information and they want to know that their wishes are respected. In other words, an ethical image with regard to personal data becomes an important characteristic for brands. For example, correct and transparent handling of personal data is not only part of an internal corporate culture, but is built into the corporate image that companies want to convey to their customers, just as environmental awareness and socio-ethical entrepreneurship are.
Smart entrepreneurs have long understood this opportunity to distinguish themselves from competitors and to them, data protection thus becomes a real sales argument. Companies work on software that is data protection by design and by default, on processes that achieve the same result with less data, on software that maximally encrypts and anonymises data, on guarantees on data security, network security and confidentiality,… and all of them do it from the same perspective, which can be summed up in the slaes slogan “join us, you and your personal data are safe with us… ”.
Looking at it like this, GDPR has evolved over a year from an expensive unsolicited burden for entrepreneurs to an exciting new opportunity for marketers. All of a sudden entrepreneurs do see opportunities to make that cursed GDPR, work in their favour and, at first reluctantly and then more and more enthusiastically, they start to work with GDPR instead of just complying to GDPR, proving for the umpteenth time that the carrot often works so much better in law than the stick…