GDPR: 1 year on, fully compliant?

One year after coming into force, the GDPR has not had its last word and remains a key concern for businesses

Everyone remembers where they were on 25th May 2018, when the GDPR (General Data Protection Regulation) came into effect. In the wake of numerous scandals that tarnished the reputation of some of the digital world’s biggest names (Facebook to mention but one), the GDPR emerged as the necessary response to the culture of disregard vis-à-vis personal data protection in the booming digital economy.

After amassing extensive media coverage, galvanizing companies’ legal and marketing executives, shaking up regulatory bodies and educating users…the GDPR continues to make headlines!

Widespread yet uneven initiatives

One year after the GDPR came into force, there is one observation to be made: a large majority of companies, multinationals and SMEs alike, undertook steps to get compliant, with new procedures, governance and contractual clauses. However, for many of them, such compliance was purely superficial, designed to achieve the absolute minimum to not fall afoul of the law.

Up until now, this minimalist approach has been the favoured option mainly because small- and medium-sized businesses have not welcomed the GDPR with open arms, seeing it more as an obstacle to the digital economy’s general growth, and particularly to their competitiveness. More than a few were put off by the idea of imposing new restrictions upon users and potentially losing some of their customer data through lack of consent.

But the difference in approaches can also be traced back to the text itself. The first version of the GDPR stipulates principles that must be respected, without explaining in concrete terms how they should be implemented, leaving much room for interpretation. Each organisation concerned was thus given free rein to choose the method(s) that they deemed the most appropriate for their business — and often the least restrictive.

A step towards more harmonised – and restrictive – practices

Are the initiatives that businesses have taken so far, however minimalistic, actually sufficient to comply with the regulations? While, for the time being, they may be enough to avoid sanctions from regulatory bodies, this is by no means certain to last!

It’s only been a year and already the text has evolved. Debates and feedback from regulatory authorities and industry bodies have led to clarifications on the methods that are currently lacking. This adjusting and clarifying is partly in response to reaction from the industry, but also to the need for a European-wide harmonisation of practices.

The GPDR was originally designed to be applied uniformly across the whole European market, where some disparities still remain. The French data protection authority (CNIL), considered more lenient than its European counterparts, will thus progressively refine and apply the text, slightly toughening its recommendations to gradually eliminate local differences and align itself with its neighbours.

This means that businesses must remain vigilant to future changes and ensure that their methods and procedures also comply with the new regulatory standards.

Expected changes

The GDPR has therefore not had its last word! We could even go as far to say that it’s barely learnt to speak, and will continue to shape and reshape organisations’ global approach to personal data protection for months and years to come.

In the short term, we can expect to see an end to the so-called “soft” consent, i.e. consent by continuing to browse a website. Tolerated so far in France, this collection method — which follows one possible interpretation of the current GDPR — is most likely to soon disappear and be replaced by “strict” methods that involve a direct expression of consent (e.g. by clicking on an “accept” button).

Undoubtedly, the consent symmetry will also shortly come into the firing line, with a requirement to give all the possible consent options equal prominence e.g. by always showing a “refuse” button next to an “accept” button.

Lastly, clarifications regarding the exchange of data between partners are also in the pipeline. Soon, if an organisation wants to share data it has collected from its own users with a third party, it must precisely name each of these partners when it collects said information.

The GDPR will thus continue to evolve and be refined, with a view to standardising the digital market and holding personal data holders responsible. Organisations must consider the GDPR as a key factor in their decision-making process: it will come to impact their work methods, their design and production processes and, evidently, their marketing strategy and operations. As it stands, we often only tackle the tip of the iceberg, but the issue of compliance must play a part of daily business for every employee and be taken into account in every procedure and debate. It is only then that companies will start to see how they can use it to their advantage, rather than it simply being an unwelcome hurdle.