An optimistic view of GDPR one year on

We all remember the context in the run-up to May 25th 2018. GDPR was the hot topic and the press gave it coverage, reaching certain level of saturation, to provide information with more or less rigor on the most relevant news regarding the European Regulation.

May 25th 2018 is one of those key dates that has become ingrained, without having to accept cookies beforehand, in our collective memory. But what has happened after? Were expectations met?

The discourse of fear: Expectation versus reality

The European Data Protection Regulation has significantly raised the fines levied for data breaches. Companies faced this reality with a certain degree of fear and concern, however, was it really necessary?

The discourse of fear tends to reign triumphant. We see reports on the levying of huge fines rather than more optimistic arguments highlighting how the correct GDPR implementation can be a competitive advantage for companies.

This brief one-year period shows us a reality that, in practice, is somewhat different to the expectation that was generated. We can paint a more positive picture if we focus on adapting to change, promoting proactive responsibility and learning from what is happening around us.

There really are no advantages to the discourse of fear because it is paralyzing, and we are currently at a crossroads where we need to take action. I personally have more faith in educating, raising awareness and encouraging prevention. It is not a question of getting around the fining system, but rather understanding the principles that it is based on to avoid being fined.

Learning from our surrounding environment

European supervisory authorities have started to levy their first fines and open investigations, companies such as Facebook and Google are not the only ones that have received penalties. Here is a list of the most significant ones:

What lessons can we learn?

There are two main issues: On the one hand, breaches of obligations of transparency, confidentiality and information or a lack of consent will be heavily fined, and on the other hand, strengthening security measures will prevent serious damage.However, the immediate actions we take after a security violation or breach will make a difference to whether the infringement is classified as serious or very serious.

It should be stressed that, at present, the Spanish Data Protection Agency has not levied significant fines on any company under the framework of the new European regulation. However, it has issued the first rulings imposing penalties for solvency breaches and video surveillance usage, as well as some rulings that are simply cautionary.

What next?

In the coming months, companies will no doubt have to face new challenges, as they will find themselves having to combine their ongoing efforts to adapt to the new data protection system with the obligations outlined in the recent Business Secret Law, the concerns generated by Brexit and the future ePrivacy Regulation.

Business models that do not adapt to the new environment will become obsolete, outdated and rendered being pushed out of the market. On the contrary, those that know how to leverage this opportunity will establish sufficient competitive advantage.

The trend is unstoppable, so instead of fearing how the regulation will affect our current business models, we need to take action. We need to analyze and design our business models taking into account their impact on privacy, act under the general principle of proactive responsibility and enjoy the advantages associated with implementing GDPR correctly!

Happy first birthday GDPR!