Two Weeks Into the GDPR Enforcement Phase, What Now?

It finally happened. The General Data Protection Regulation finally went into its enforcement phase on May 25, 2018, memes and all.  

Was the industry ready? Were those last-minute policy updates enough? What happens now? In this blog post, we take a look at how major players prepared for the deadline, what’s to come with the GDPR in place, and how your company can work toward compliance from here on out.

First Strikes on the Biggest Players

It didn’t take long for the largest companies to feel the sting of litigation. Only minutes after GDPR went into effect, privacy activist Max Schrems and his organization None of Your Business hit Google and Facebook with lawsuits alleging “forced consent.” The lawsuits claim noncompliance with GDPR rules on particularized consent, because these companies give users an all-or-nothing option —  agree to these terms to access this service — instead of allowing them to consent to some terms and not others.

Google and Facebook responded by insisting they have taken adequate measures to comply with the GDPR.

Then French digital rights group La Quadrature du Net followed suit, filing additional complaints against Google, Facebook, Apple, Amazon, and LinkedIn. The complaints are similar to those made by Schrems and allege violations via the use of forced consent. La Quadrature is also planning to file formal complaints against Android, WhatsApp, Instagram, Skype, and Outlook, though as of this writing has yet to take official action.

How Apple, Facebook, and Google Prepared

While it’s hard to say if the complaints truly surprised any of these companies, many of them had communicated a general sense of readiness in the days leading up to enforcement.

Apple, for example, in late May 2018 introduced a new website showing customers what personal data it holds on them. Apple customers in the EU can now request to see this data, from sign-in history to contacts, calendar, notes, photos, and documents. Customers can also correct data, deactivate their account, and delete all information. (Apple currently offers this service only in EU countries, Iceland, Liechtenstein, Norway, and Switzerland, but says it plans to expand to other countries later this year.)

In April 2018, Facebook updated its website with clearer versions of its terms of service and data policy, giving users seven days to provide feedback on the new language before finalizing and asking users to agree to it. Facebook also revealed that it would be overhauling and streamlining the app’s controls to make settings easier to find, saying “instead of having settings spread across nearly 20 different screens, they’re now accessible from a single place.”

Google was one of the earliest actors, as they made GDPR-related updates and notified users over six months before the GDPR deadline. The most significant updates were made to data processing amendments and security terms for G Suite and Google Cloud, which make them easier to understand in order to comply with the requirement for “clear and transparent notice” of how data will be used. Other updates include new options and capabilities for exporting data.

What’s Ahead

The full impact of the GDPR is yet to be determined, and in part will rely on how heavily customers and activist groups exercise their new rights. In an August 2017 Forrester survey of U.K. consumers, 51% of respondents said they were at least somewhat likely to exercise their new rights under the GDPR. However, the most common example cited was data deletion — a far cry from fully-fledged lawsuits.

But the biggest takeaway of this new regulation isn’t that more consumers are scrutinizing companies — it’s that more companies are scrutinizing other companies. Because GDPR mandates shared responsibilities for all parties touching personal data, companies are scrutinizing the processes and actions of their business partners much more deeply. That’s the true genius of the GDPR, Director of Data Compliance Europe Simon McGarr explains in a recent Quartz article:

“Europe has plenty of data protection authorities but it doesn’t have enough to go knocking on every door. So they’ve had a multi-level compliance structure built into the law where you end up with large companies enforcing compliance on small companies, and so on down the line.”

Companies less prepared than they’d hoped to be after May 25 may already be feeling the pressure from their business partners, and cyber security expert Elliot Rose predicts there will be plenty of organizations that are still getting up to speed after the deadline. For those in this situation, the first priority is to address high-risk areas that deal with sensitive information. Companies should focus on securing sensitive data, looking into where it’s stored, and who has access to it. The important thing is to get a plan in place, and get going as fast (and accurately) as possible.

Staying Prepared

Ultimately, the GDPR will help even the playing field when it comes to privacy and transparency, and open the doors to communication where they were closed before. As a company, here are a few steps you can take to keep the conversation going:

Assess How Data Is Legally Processed

Do you have your end users’ consent? Is it specific, unambiguous, and freely given? Does your end user experience make this clear? Do you have a legitimate interest to collect, process, and store the data? If you can’t answer each question with a “yes,” it’s time to take a step back.

Update All Necessary Notices

Have you reviewed your current privacy policies, notices, or other information you provide to end users? Are these important notices at the point of collection? A review of all privacy notices may be necessary to keep your data collection, use, and storage transparent to end users.

Adopt Data Access, Right to Correction, and Right to Be Forgotten Protocols

These principles allow your end users to correct outdated or inaccurate personal data and to be removed from processing altogether. Internal policies and procedures should be implemented and maintained to appropriately respond to such requests.

Use Pseudonymous or Anonymous Data

Consider removing or limiting unique identifiers through the anonymization or pseudonymization of data. Some techniques include hashing, salting, encryption, and the use of tokens. This may help minimize the potential for future identification of end users, and may also help minimize your compliance obligations.

To learn more about TUNE and the GDPR, read our page here.