A Year Later: What GDPR Really Means for Business

Over a year ago, the European Union chose to make the General Data Protection Regulation (GDPR) the law of the land. Ever since then, business owners, politicians and the public all over the world have been wondering what it means for the EU and for the other territories who may follow with similar laws of their own.

The legislation has done a lot of good we can already see. But it's also added new responsibilities to the business owner's already burdened plate.

More Than One Way to Measure Success

There are two primary missions of the GDPR: to require all businesses and organizations to disclose data breaches soon after they happen, and to fine the accountable organizations for handling user data poorly. The first part of the mission has been an undeniable success.

According to the UK information commissioner, the first eight months after GDPR's implementation saw some 60,000 reported data breach incidents across Europe. That's a substantial increase over the roughly 18,000 to 20,000 breaches per year reported before GDPR came onto the scene.

It seems organizations throughout the EU are feeling the pressure to self-disclose — within 72 hours — when suspicious or overtly criminal activity occurs concerning personal data. This basic level of information sharing, plus a lot more, is vital for keeping consumers protected and for helping data scientists and coders pinpoint and patch vulnerabilities as quickly as possible. It has been a useful development for regulators and those tasked with identifying careless or criminally negligent parties and delivering the appropriate penalties.

Part of the reason for the leap in the number of reported incidents is thanks to a much broader definition of the phrase "personal data." In 1995, the EU had the Data Protection Directive, which only covered obvious data points like name and home addresses. GDPR improves on DPD by including device-level identifiers like IP address, biometric data and more.

That brings us to the second part of GDPR's mission: punitive measures.

Does GDPR Hold Businesses Accountable?

The largest fine delivered so far under the GDPR to a private company also makes up the bulk of the funds collected so far: a fine to Google in the amount of €50 million, or $56 million. In all, the EU took in about €56 million in fines during the GDPR's first year.

Many smaller businesses are wondering what these changes mean for them. They've had fines handed down, too — including one company in Poland that failed to let their customers know they'd be collecting some of their data for processing. They paid €220,000 in damages.

These fines aren't the only kind of costs businesses are facing after the implementation of GDPR. Some companies have had to cease their operations entirely or stop doing business in the EU because they couldn't afford to pay what GDPR-ready compliance measures would cost.

Outside the borders of the EU, companies large and small are watching the fines and the other companies scrambling to achieve compliance and are taking stock of their data handling, transparency and notification practices. The GDPR isn't just for EU-based companies — it also covers companies which collect data on EU citizens. That means industries from wealth management to e-commerce are preparing for similar measures to come to the U.S. outside states like California.

In this way, GDPR is the beginning of a worldwide conversation. If some see a slow start here, it's because it represents something much bigger. Some will say the fines delivered to the largest of the large corporations so far haven't been large enough to change their behavior. Will the law hit smaller companies harder, like that Polish firm? That may prove to be the case. The system seems to be working, but it will require further study and additional changes.

What GDPR Means for Businesses

Ultimately, the near-term and ongoing impact of GDPR on the business community is that companies can no longer afford — quite literally, in some cases — to make customer privacy an afterthought. It needs to be a top-priority concern and baked into the company's business model, services, products and communication and marketing channels.

There's a lot of chatter about the U.S. adopting a GDPR-like measure. Companies in the EU are beginning to feel this law work as intended, and some of them haven't been able to survive the forced changes to their business models. Companies in the U.S. and elsewhere have more time to prepare, and it means taking a hard look at what data you're collecting, how you will be using it and whether it complies with the GDPR. Companies need to let customers know when they want to gather information, explain what they plan to use it for, encrypt and store it securely, then provide a clear opt-out for customers who don't wish to take part.

Putting these systems in place will cost money. However, all of it is working toward a safer and more secure digital world. The EU's privacy law isn't a binding blueprint, but it inspired California's effort and will almost certainly help shape the United States' federal-level privacy law when it comes about.

GDPR also means companies will have to shoulder the costs of either "staffing up" or outsourcing some of the IT architecture and compliance work to a third party. And professionals in the computer sciences are in demand right now.

Clearly, governments all over the world are moving the bar for digital privacy higher, and companies need to catch up and update their standards, or risk getting left behind.