The good, the bad and the unexpected: what GDPR has taught us in the last year

Before the official implementation of GDPR last May, there were plenty of predictions being made across the enterprise, including which tech giants would be the first to cough up the cash, and how many would be immediately called out for non-compliance.

However, while many of these predictions have gone from expectation to reality – some within a matter of days – the regulation has also bought with it far more than just headline-grabbing fines, including a number of surprises that we didn’t expect.

On the one-year anniversary of GDPR’s enforcement, here’s a few things that we perhaps didn’t see coming, and how we think they’ll pan out.

  1. There’s always something better around the corner
    Despite being one of the most comprehensive standards to date, in just one year, other data privacy mandates have started to slowly take the lead from GDPR. In the U.S., for example, more and more states are agitating for tougher privacy and regulation, forcing the U.S. Congress to consider a federal data privacy law. In the UK, we’re gearing up for the ePrivacy Regulation, which will provide the specific obligations that flesh out the more general provisions of the GDPR. These developments will inevitably result in a ‘ripple effect’, causing more modern regulations to gain the top spot.
  2. One employee mistake could cause a whole company downfall
    Perhaps the biggest (but not necessarily the best) revelation in relation to GDPR happened just last month, when the Information Commissioner’s Office (ICO) failed to follow its own advice. Despite leading the GDPR charge – as well as being responsible for dishing out fines to non-compliant organisations – the ICO recently admitted it is still in the process of drafting its own privacy notice for employees. While everyone is busy worrying about external data breaches costing them money, staff with a lack of education and understanding on what GDPR means in practice are without a doubt where the greatest threat lies, and organisations know it. In our recent Global Encryption Trends study, 54 per cent of cyber security professionals ranked employee mistakes as the top threat to sensitive data.
  3. Clued-up consumers know more than we expected
    While the majority of the GDPR focus fell on organisations and how the regulation would impact them, the level of awareness on the consumer side was overlooked. Since the standard came into force, consumers have expressed more interest and knowledge in how their data is being collected, stored and used by the brands they engage with. They’re asking thoughtful questions and making buying decisions based on their perception of how safe their data is, versus taking the ‘check the box’ approach that many thought they would. This behaviour is in turn influencing organizations to recognize security as a potential driver of profit and customer loyalty. In the future, I won’t be surprised to hear of a CEO citing data security policies for competitive advantage in the market, or seeing a supermarket TV commercial asking consumers to shop because it promises to protect their personal data.
  4. Security and experience don’t always go hand-in-hand
    There’s no doubt that the introduction of the GDPR was much needed, raising a great deal of awareness around best practice and promoting responsibility, however, has this come at the cost of consumer experience? Before the regulation was enforced, it wasn’t entirely clear how GDPR would have a day-to-day steer on what we see when we go onto a website or engage with a company. A year on and it seems we underestimated how much resentment additional notifications and extra ‘clicks’ would cause. According to exclusive research commissioned by Marketing Week, just 6 per cent of consumers strongly agreed that their experience with companies using their data has improved due to GDPR. The largest proportion (46 per cent) don’t think the regulation has made any difference at all, while 17 per cent think things have actually got worse in the last year.

Like it or not, GDPR is here to stay for now. For more information on how Entrust helps businesses comply with global regulations, check out our dedicated landing page. You can also follow Entrust on Twitter, LinkedIn, and Facebook.