As the GDPR arrived, the lights didn’t quite go out, but some were clearly left unprepared as firms opted to restrict access to websites rather than face the prospect of fines, says Ashley Gatehouse
When the New Yorker referred to the GDPR as ‘the most contested law in the E.U’s history’ it was perhaps an indication of just how disruptive those within the boardroom felt the new legislation would be. But as the May 25th deadline came and went, what did we learn from the first few days post GDPR?
Some were clearly not ready. The first indications of the seriousness in which this was now being taken were when a number of US news publications including the Chicago Tribune and LA Times suddenly restricted access, saying they ‘were currently unavailable in most European countries’.
That seemed an odd move from the Tronc and Lee Enterprises media publishing groups, businesses built around advertising and lists of subscribers. With the latter having 46 daily newspapers across 21 states in the US, perhaps the logic was that business wouldn’t be that badly affected?
A message from Tronc confirmed its sites were offline in most European countries, adding that it was “engaged on the issue and committed to looking at options” to support a “full range of digital offerings to the EU market”.
Over at Lee Enterprises, a similar statement acknowledged the disruption faced by those attempting to access its websites from within the ‘European Economic Area (EEA) including the EU which enforces the General Data Protection Regulation’, confirming that sites were ‘temporarily unavailable’ with access being denied for the time being.
Yet, with so much ‘noise’ around the subject in the months leading up to May and inboxes being inundated with emails concerning the application of the GDPR to their business, the temporary move to stop trading with the European Union rather than risk fines seems an odd one. But is it entirely justified? Given the proposed fines and potential consequences of being non-compliant one could argue that it was mission accomplished in part. But are such strategies those of forward thinking enterprises, representing only a temporary solution to a problem that, if handled badly, could potentially cost businesses a fortune in lost revenues and brand value?
In the Financial Times, Wilbur Ross, the US Commerce Secretary went further, suggesting that in its current form, the GDPR ‘could significantly interrupt transatlantic co-operation and create unnecessary barriers to trade, not only for the US, but for everyone outside the EU.’
His contention was that the GDPR created several ‘grey areas’ that at the very least caused confusion as to what was required of firms in order to comply and at worst could severely impact upon ‘financial regulation, medical research, emergency management co-ordination and important commerce’.
That, he said, could ‘threaten public welfare on both sides of the Atlantic’.
Of course, deadline day also brought the first complaints with high profile challenges made against Facebook and Google by Max Schrems and his non-profit organisation, NOYB.
Schrems argument centred around the fact that the pair operate a ‘forced consent’ policy whereby users are unable to use offerings should they fail to comply. He believes that under the terms of the GDPR they should be able to choose, with consent not being a condition of using such services. Similar filings were also made against the Facebook-owned Instagram and WhatsApp.
While Facebook and Google were quick to defend their policies and data collection practices, it’s clear that companies are now firmly under the microscope not just from the regulator, but also from privacy activists and watchdog groups keen to expose those organisations perceived to be falling short of requirements.
Yet while businesses were rushing around to ensure compliance it transpired that the EU had already made a gaffe of its own, as reported in The Daily Telegraph. Evidence passed to the news outlet showed that there had been a data leak exposing the details of ‘hundreds of citizens’, which had it been by another ogranisation would have been in breach of the GDPR.
In response, the European Commission suggested that European institutions were being kept separate from data protection regulations for ‘legal reasons’, with officials in Brussels declaring that they would instead be following a new law coming into effect in the Autumn that would mirror the GDPR.
Clearly we’re just at the beginning of a long road towards achieving continuous compliance, but given the intricacies involved companies face a tightrope as they move to securing the data they hold on individuals whilst at the same time looking to improve internal processes and align with the GDPR. To do that they will need to redefine their approaches with a clear strategy that delivers long-term goals to the business rather than proving an unwelcome and potentially costly distraction.
To find out how compliant your organisation is, try our FREE, no obligation GDPR awareness questionnaire: https://www.crayon.com/en/consulting-services/general-data-protection-regulation-gdpr/