Low compliance rates suggest the data protection framework is struggling to take hold.
Believe it or not, but GDPR is nearly a year old. Technically, it’s actually older than that, having first been introduced in 2016, but most people will be more familiar with the compliance deadline of 25th May 2018, which turned into something of a Y2K moment for many businesses. In any case, while it’s distracted with writing its birthday wish list, let’s look at how GDPR has fared in the past year. More to the point, has GDPR failed to deliver what it promised?
The whole point of General Data Protection Regulation was to consolidate existing laws and to bring legislation up to date. It was designed to give further protection to personal data and to prevent its abuse by companies and other organisations, aided by greater power for regulators, such as the Information Commissioner’s Office (ICO), to levy fines against rule breakers.
However, despite having around two years to prepare for GDPR, many businesses didn’t start to take it seriously until a few months before the deadline for compliance. That in itself seems like a significant failure.
By September 2018, the situation had barely improved: researchers from software company Talend found that at least 70% of businesses were failing to fulfil data protection requests.
Months on, in January 2019, the same company reported that at least three quarters of UK organisations were not GDPR compliant.
Why Has GDPR Failed To Take Hold?
Let’s be honest: if GDPR were a TV show, it would have been cancelled by now. The poor rate of uptake is hard to ignore, and it could be due to a number of possible reasons, including:
- Businesses don’t know about GDPR.
- Businesses are not taking GDPR seriously and are just ignoring it.
- Businesses don’t know how to implement GDPR.
- Businesses don’t have the resources to be GDPR compliant.
Let’s examine each of these in turn.
Businesses Don’t Know About GDPR
The idea that companies are still unaware of GDPR seems plausible but unlikely. There were numerous reports in 2018 of businesses having not heard of GDPR: in May 2018, it was estimated that a quarter of European businesses were still in the dark, and a month later, it was found that 15% of IT workers in the UK, US and Germany were in a similar position.
But GDPR has been everywhere for months; every technology or business website worth its salt will have published a story about it. Google ‘what is GDPR?’ and you’ll find countless guides explaining the ins and outs of the law.
If there are people who still don’t know about GDPR, they are surely the minority – and not enough to account for the low compliance.
Businesses Are Not Taking GDPR Seriously
In the lead-up to the 2018 deadline, many businesses were understandably worried about the implications of GDPR. The threat of massive fines loomed large.
However, while GDPR gives regulators the ability to levy fines of up to €20 million or 4% of annual turnover, such extreme financial punishments were never intended to be the norm. Indeed, the ICO made it clear early on that fines would be a last resort for the worst offenders.
To date, the majority of fines have been measured in the thousands – similar to those issued under previous legislation. Google was fined €50 million in France earlier this year, but that was very much the exception to the rule.
So, in light of fines being a last resort, are firms simply ignoring their GDPR obligations? Perhaps. Certainly, when TMB held its GDPR 101 events last year, we business owners were concerned about the incoming regulation and wanted to learn more, but as time has gone on, interest in the subject seems to have waned.
Nevertheless, we’d be surprised if this alone accounted for the 75% of UK organisations failing to comply with GDPR.
Businesses Don’t Know How To Implement GDPR
Broad legislative frameworks don’t tend to make for easy reading, and the GDPR is no different. The 88 pages that make up the legislation are filled with concepts and language that are at times complex, making navigating through it all an unenviable slog. Small business owners will probably need assistance to ensure they adhere to the rules, and larger firms will often be required to hire a dedicated data protection officer.
For the ICO’s part, it has provided excellent guidance through its website, including a detailed but accessible guide to GDPR. But the very fact this guide needs to exist at all suggests that GDPR is too complicated for many businesses – as does the regulatory Sandbox it recently began trialling.
Businesses Don’t Have The Resources To Be GDPR Compliant
No matter how you look at it, complying with GDPR costs money. If you are required to hire a data protection officer, or if you do so voluntarily, you’ll need to pay either a full-time employee or external supplier.
On the other hand, if you decide to handle your data protection matters yourself, you’ll likely need to spend your time learning about GDPR, and then you’ll need to make sure your business complies. The time lost on these tasks translates, of course, to lost revenue.
For medium and large businesses, these costs may be acceptable, but for smaller businesses, particularly sole traders, the time and money required to comply with GDPR may be prohibitive.
Why GDPR Has Not Failed
It’s hard to ignore the feeling that now the dust has settled, the significance of GDPR has faded and, therefore, that GDPR has failed. That conclusion would be naïve.
On a grand scale, GDPR will continue to be relevant, particularly when it comes to punishing the transgressions of major corporations like Google and Facebook. These companies hold vast amounts of personal data, yet their efforts to respect the value of this information and the rights of their users has thus far been abysmal. We should all be glad that regulators like the ICO now have the teeth to really hit them in the pocket.
GDPR will also continue to prove its worth when it comes to punishing rogue organisations, such as spam peddlers and scam robocall companies. Big enough fines can even put these kind of operations out of action permanently.
The soft-touch approach taken to smaller organisations, meanwhile, is the correct path to take, but it does mean change is going to be slow. Some firms may never be fully compliant with GDPR, but its very existence has elevated the importance of personal data, to the point that businesses might now think twice before spamming their contact base or keeping contact details they no longer need.
And despite its preference for leniency, the ICO has shown it’s willing to use its enforcement powers, issuing fines as it sees fit. As long as it keeps doing that, it’s going to be hard for businesses to forget GDPR completely.
So while GDPR hasn't changed the world just yet, it has made a difference, and with its rules set to continue beyond Brexit, it's only just getting started.