Before the GDPR came into force on May 25th 2018, Data Protection was something that was often treated as an added extra to a business’ offering. Prior to the new law, information had been gained through implicit consent. Users were not aware of where and how their data was used and receiving e-mails from websites you had merely looked at was commonplace.
Although the GDPR was a long time coming – 7 years in the making – businesses still felt flustered when May 2018 came around. Many initiatives for compliance were last minute and most organisations focussed on re-permissioning e-mails which lead to a dramatic drop in database volumes. However, this mass opt-out on day 1 was beneficial in clearing out databases of passive users, leading to a more engaged audience who are happy to receive marketing e-mails from specific brands. In theory we should now see e-mail conversion rates skyrocket.
Some organisations saw the GDPR as a similar deadline to the Y2K panic. Yet, the GDPR is not something that went away after the deadline, it is something that needs to be worked on daily in all organisations to maintain compliance and accountability. An Unlimited study complied by Nick Chiarelli (Head of Trends, Unlimited) and Stephen Welch (Joint MD, Realise), found that 92% of organisations surveyed claimed a level of confidence in demonstrating their ability to conform to GDPR in the long-term, although 35% are concerned that they don’t have sufficient resources to sustain their compliance. Finding the right people to do the work has been a challenge for most organisations and now privacy professionals are sought after more than ever before.
The first year of the GDPR in the public eye has been largely focused on fines. The ICO is misunderstood here, they don’t wish to go in and fine a business. They have a pragmatic response and want to help companies and encourage them to fix the problem rather than hit them with an initial large fine. The Information Commissioner, Elizabeth Denham noted that, “last May marked a seismic shift in privacy and information rights”. The ICO know it’s a big change and want to help pull businesses through. It’s important for businesses to trust the ICO and see them as helpful and not a hindrance as the GDPR enters its second year.
The same survey looked at public understanding of the GDPR a year on and found that public comprehension is, “ok but could be better”.
The study shows that GDPR awareness is high in 2019 with 78% of the public knowing about / having heard of the new data protection law. In terms of age demographics, the highest with awareness is 45-54 with 82% of that age range being conscious of the GDPR. The survey found that there is a divide between younger members of the public who find the use of personal data and technology to identify you and your needs ‘cool’, and the older members of the public who find adverts chasing you around the internet as ‘creepy’. It’s interesting to note this change in age demographic, as it’s likely the over-personalised ‘cool’ experience will win out, with customers wanting a brand to know them and be able to tailor content and marketing towards them on a heightened personal level.
Although awareness is high, the understanding of specific elements of the GDPR is where it gets patchy, as outlined below:
These results show that although users know about the new data protection law, they still don’t have adequate understanding in the areas that may really effect them. Less than half, (42%) of respondents are aware of their right to have all data held on them deleted. Just over half of respondents, (52%) know that organisations are obliged to tell individuals if they are using any of the information they hold on them. These figures seem quite low in the understanding of the core values of the GDPR.
Although understanding of specific elements isn’t as high as consumer awareness would suggest, the elements of legistlation is clearly valued. 72% of respondents said that it’s very important for them to know if an organisation is hacked and sensitive personal data could have been stolen from them. And 62% of respondents said it was very important for organisations to tell individuals if they are using any of the personal information they hold about them. This is confirming that public understanding of the value of their data is definitely higher then it might have been pre-GDPR, with 57% of respondents agreeing with the statement that, ‘GDPR has given me more control over my personal information’.
The Information Comissioner Elizabeth Denham stated that, “The focus for the second year of the GDPR must be beyond baseline compliance – organisations need to shift their focus to accountability with a real evidenced understanding of the risks to individuals in the way they process data and how those risks should be mitigated. Well-supported and resourced DPOs are central to effective accountability.” As the GDPR progresses and matures, companies must continue to take the values and principles of the GDPR seriously and continue to employ resource to maintain these standards. The era of leniency will soon be over and companies will need 100% compliance to be taken seriously when opting to gain personal information.