May 25 was D day, the day that the countdown to GDPR, the new General Data Protection Regulation, came to an end, and the legislation became obligatory across the whole of the European Union. Although companies had two years in which to adapt, in the end, the majority of cases saw a last-minute scramble to implement the new regulation.
Many companies were noticeably nervous and apprehensive, something that is understandable if we consider that the consequences of breaching the GDPR are severe, with fines of 10 million Euros or 2% of annual turnover (Level 1), or 20 million Euros or 4% of annual turnover (Level 2).
But now that the dust has started to settle, what assessment can we make of the situation? Have companies adjusted to the new regulation? Have they solved their doubts? Has corporate cybersecurity been standardized in Europe? Have the privacy policy update emails stopped? Has this whole process finally ended? The fact is there are still things left to do, and, if we analyze the consequences of the GDPR, we can say, broadly speaking, that there have been three different situations.
A rise in complaints in several countries
In the weeks leading up to the deadline for the new data protection regulation, large and small companies turned to all kinds of experts in order to adapt to the legislation. Not all of them, however, have managed to properly adapt. Or that, at least, is what many consumers think.
According to The Guardian, data protection agencies in many countries have reported a sharp rise in the number of complaints for apparent breaches of the GDPR: the UK Information Commissioner’s Office and the French CNIL have both reported that the number of complaints of this type have increased considerably. France, for example, has seen a 50% increase in complaints.
Google and Facebook under scrutiny
Many of the companies that were most concerned about the arrival of the GDRP were small and medium businesses. Though these companies handle less data, they also have less flexibility in their budgets, meaning that they have fewer resources to be able to adapt to the legislation. However, the reactions that we have seen in the two months since its application have gone in the opposite direction.
In fact, according to the non-profit organization NOYB (None of Your Business) most complaints have been against tech giants such as Google, Facebook, or Twitter. The reason? These large companies, rather than totally changing their data treatment policies and fully adapting them to European legislation, chose to launch a standard message, forcing users to accept their new privacy and cybersecurity policies; if users didn’t accept, their accounts would be blocked.
The other side: those who went too far the other way
Nevertheless, there was also a third case that got a lot of people talking: this is where we saw large companies that, despite the fact that they already complied with the new legislation, decided to send their users an email, asking their permission to receive notifications.
If a user chose not to accept these new policies, or simply didn’t click on the link in the email, the company that sent it would be forced to remove many users from their database – users whose permission, in fact, didn’t need to be asked.
This is what lawyer Samuel Parra believes: “There are companies that, after being incorrectly advised, sent this email asking their users for consent again, when in fact, these users’ data had been obtained legitimately, so new consent wasn’t needed.” Thus, “they now have a problem: they have found that 70 or 80% of users didn’t click on the link in the email, meaning that these companies have to delete their details from their database”, something that has meant that “several companies may have lost a large amount of future revenue, all because of some bad advice”.
Whatever the case, one thing that is true is that all companies that handle data belonging to users in the EU not only have to have their users’ permission, but they also have to establish certain corporate cybersecurity measures, such as protecting their communications (emails are the gateway for threats to your company), or implement an action and information protocol in case of possible cyberattacks.
If you’re worried about your company’s IT security, you’ll be interested to find out more about Panda Adaptive Defense, Panda’s advanced cybersecurity suite that not only acts automatically on the most frequent intrusions, but also has a human team of analysts who are able to prevent, detect and respond to cyberattacks. What’s more, we’ve incorporated the module Panda Data Control to simplify the task of complying with the GDPR, helping you to have greater visibility and control of all personal data, including unstructured data, and to strengthen your security.