HomepageCommercial LawPrivate LawPublic Law & Human RightsCriminal LawEU & International LawCareers

Accessibility

Have Irlen Syndrome, or need different contrast? Click the button below for options.

Background Colours

Subscribe

Enter you email address below to subscribe to free customisable article notifications.

Alternatively, click the button below for our various RSS Feeds (available journal wide, or per section).

GDPR: Challenges for Businesses, Eighteen Months On

Article Cover Image

About The Author

Kerry Gibbs (Guest Contributor)

Kerry has a BA Hons (Criminology with Law) degree and also completed a Graduate Diploma in Law at Birmingham City University. She is currently studying for a Masters in Business Law at De Montfort University. She particularly enjoys getting up to speed with new laws that affect businesses like GDPR, and supporting B2C businesses with her Consumer Law knowledge. You can find more from Kerry at https://www.bebconsultancy.co.uk/blog/.

The European Union (EU) adopted the General Data Protection Regulation (GDPR) law on 14 April 2016, and it was implemented on 25 May 2018, eighteen months ago. The GDPR affects businesses with regards to the way in which they collect, process, and store data of their EU customers and prospective customers.

Keep Calm Talk Law has covered GDPR in a number of previous articles: İnayet Baytaş' introduction to GDPR and competition law, Dena Anee's piece on GDPR and privacy law, and Ceylan Simsek's look at the impact of GPDR on the NHS. This piece will focus on GDPR’s impact on businesses and their customers, and some of the key issues for legal professionals advising businesses on GDPR eighteen months after its introduction.

The primary purpose of GDPR was to unify European data privacy laws to protect and empower EU consumers. When GDPR was adopted by the European Parliament in 2016, EC commissioners Frans Timmermans and Věra Jourová stated:

“The new rules will ensure that the fundamental right to personal data protection is guaranteed for all. The General Data Protection Regulation will help stimulate the Digital Single Market in the EU by fostering trust in online services by consumers and legal certainty for businesses based on clear and uniform rules.”

The law covers all entities that do business with EU countries and citizens. It also covers any organisations that have EU staff even if they’re not located in the EU, and any companies that collect, process or store data of EU citizens and residents (for example, the IP address of internet users). Organisations that have no physical address in the EU but conduct business with EU countries and citizens are not exempt from GDP

What are the benefits of GDPR?

In theory, GDPR benefits both organisations and consumers by improving consumer trust and security, modernising technology, and enabling better decision-making for all parties.

Trust and Security

An organisation’s compliance with GDPR should provide assurances that it is adequately protecting its customers’ personal information. In turn, users can feel safer transacting with GDPR-compliant websites since they are deemed more trustworthy.

This goes hand in hand with the increasing prevalence of cyberattacks. According to a government report from 2017, almost 6 out of 10 major firms experience some form of digital attack. With GDPR, unauthorised access to data is limited with the use of privileged and identity access management. Such a system is designed to limit critical information to a few individuals, reducing the number of potential avenues for a breach or loss of data. In addition, accountability is also limited to personnel who have access to the system. Article 33 of the GDPR also specifies that any breaches should be reported within 72 hours of such occurrence, enabling users and third parties to respond swiftly.

Technology

Once companies adopt GDPR, they can retire their old and frequently out-dated data inventory software and applications. For example, they can store personal information using reliable cloud services instead of using their own local infrastructure. Such a move can help the company save on maintenance costs and man-hours in the long term, but companies may previously have been hesitant to take on the short-term investment of time and money. With the arrival of GDPR, many are forced to update.

Complying with the new EU data laws also allows organisations to improve their network by migrating to the latest technologies. This can range from cloud computing and virtualisation to the Internet of Things. The Internet of Things (IoT) is a system of inter-related mechanical and digital devices, which in a business context can help companies manage and scale the growth of their data and offer customers improved products and services. Third-party software can also aid organisations in the monitoring and protection of their data against unauthorised access. By upgrading to the latest technologies, companies will both comply with GDPR’s requirements and improve the security of their customers’ data.

Decision Making

Article 13 of the GDPR clearly specifies how companies should handle personal data (which is itself defined in Article 4(1) as “any information relating to an identified or identifiable natural person”). For example, website users have the right to know why the company is collecting their personal information. The provisions under Article 13 provide a clear guideline to companies on what is permitted or illegal in the handling of personal information.

Under Article 22 of the GDPR, automated decisions regarding users’ personal information are discouraged unless necessary. For example, the decision to grant insurance or a loan to customers will require some element of review by a human being rather than a purely automated process. The framers of GDPR believe that automated decisions are prone to errors and unjust results. As a side effect of Article 22, organisations may have to learn more about their customers’ identify and needs in order to make decisions. Such a move will ensure that companies obtain better returns on their investments, while hopefully providing better outcomes for customers.

Companies are also encouraged to assess risks more seriously. They have to because, under GDPR, failure to do so will result in fines and possibly damage the reputation of the company. Such penalties will encourage the organisation to establish a digital system that is secure and impenetrable. Data breaches are always possible despite taking every precaution, but adopting cutting-edge technologies as mentioned above will help mitigate the risks and make  companies better prepared in avoiding digital theft.

What are the Challenges of GDPR?

The adoption of GDPR even by non-EU companies is changing businesses worldwide. Users are regaining control of their personal information. However, GDPR is a complex legal instrument and presents challenges for both businesses and consumers.

Challenges For Businesses

GDPR has increased the accountability of those handling personal data. The idea is to improve transparency and trust, but GDPR is process-driven, meaning that companies may have to spend time, money, and effort performing additional processes in an already cumbersome procedure.

Implementation of GDPR requires an initial audit of the company’s system. However, many firms are struggling with even this first step. To successfully complete the audit, companies need to consider, across their entire operation:

  • What data do they need to collect?
  • Where will they find the source of their data?
  • Where do they store their data?
  • How do they use it?
  • Who has access to such data and for how long?

For companies dealing with large numbers of customers, sometimes in many countries or many different subsidiary businesses, these simple questions can quickly spiral into a very extensive set of considerations. Completing such an audit will also cost the company in time and money, and require budget planning alongside the company’s usual business. A suitable amount must also be set aside for ongoing obligations to maintain data privacy and security after the audit and implementation is complete. Organisations will spend most of that budget on researching GDPR-compliant technologies, implementing them, and making sure they have the necessary manpower to implement the new rules.

GDPR has expanded users’ rights to their personal information. In addition, companies cannot obtain data without a user’s consent - under the law, companies and websites have to request such data. Meanwhile, users will likely have questions about how their information is processed. Organisations are obligated to respond to these questions because a non-reply can result in a fine. They should have an answer to each of the following:

  • What is the purpose of the data processing?
  • How will the gathered data be categorised?
  • Who are the parties handling the user’s data?
  • How long will the personal information be stored for?
  • How to handle requests for correction, erasure or cancelling the processing of user information.

GDPR has been in effect for quite some time, and in an ideal world both companies and their personnel should now be well-versed in implementing procedures dealing with users’ rights, consent, and what the company is permitted to do with what types of information. In many cases, however, this process is far from complete. Legal professionals have a continuing role to play in advising companies to ensure that all of their plans and decisions are fully compliant with GDPR. 

Challenges for Customers

Chapter 3 of the GDPR, “Rights of the data subject”, contains Article 12 to 23, detailing the rights of users with regards to their personal data. Article 23 also sets out the limits of the data privacy law. İnayet Baytaş’ article dealt with some of these rights and responsibilities in more detail back in 2018. It is essential that people are made aware of their options in case those rights are abused. Vigilance is required since any misunderstanding can lead to situations where sensitive information is accidentally given. Also, ignorance of the law may not help their case against a company to whom they have given their information and consent.

Users should give their clear permission before a business can process their personal information, and GDPR insists that any consent should be clearly stated to avoid confusion. However, getting consent from users in practice isn’t that difficult. For example, a website can include a simple tick box stating that the user consents to being added to a mailing list, and clicking ‘I agree’ on a site’s terms of use also implies that they are giving consent. Unfortunately, many people don’t give much thought to such terms, especially if there are a lot of legal terms and jargon involved. Once consent is given, the user will have to perform a series of tasks to reverse their decision.

In case of data breaches, companies are obligated to inform users if their information has been compromised. However, every data theft is unique so the courts often determine how much information (ie. what level of detail) a company has to provide about the incident. This can frustrate users, who are understandably upset over the violation of their privacy and a lack of transparency from companies, reinforced in some cases by the court

What is the professional’s role in GDPR compliance?

Under Article 6 of GDPR, there are six lawful bases that allow companies to process personal information. The six bases are:

  1. Consent – Clear permission has been given to process the personal data for a particular reason.
  2. Contract – Both parties have entered into an agreement which includes processing the personal information (eg. terms of service).
  3. Legal obligation – The processing is necessary for the data controller to comply with a legal obligation (eg. money laundering regulations).
  4. Legitimate interest – Either the controller or a third party has a “legitimate interest” which is served by processing the data, subject to the other rights and restrictions of GDPR
  5. Public task – The processing of the personal data is in the interest of the public or in the exercise of an official authority.
  6. Vital interests – Processing is necessary in order to protect the “vital interests” of the data subject or another real person (but not the data controller/company).

Companies will often require professional help, especially in online interaction with users, to determine whether the  bases apply to a particular situation, and this is a key fundamental area for professionals advising on GDPR compliance. This article discusses the bases and examples of issues around the first basis, consent - not just companies failing to obtain consent, but also some that go over the top in their efforts to comply.

GDPR has been around for quite some time, but professionals still have a role to play both in advising those new to GDPR, and improving practises at established businesses, many of which have yet to implement a proper data protection plan or have run afoul of GDPR since its implementation. Search giant Google was fined €50 million early in 2019 for GDPR violations. According to French regulator CNIL, the company’s personalised ads lacked transparency, didn’t provide enough information to users, and didn’t request the necessary consent.

Facebook, another US digital giant, was fined £500,000 in 2018 for collecting data from friends of Facebook users while failing to inform those people about their information being collected.

News coverage tends to focus on large fine amounts and well-known companies, but small companies aren’t spared from GDPR enforcement either. Most of these companies were not penalised for collecting the personal data of their users. They were punished for violating their privacy notices in that they didn’t inform people how they process their personal data or the reason for such collection. 

Even charitable foundations have been fined for violating GDPR rules, including Cancer Research UK, Macmillan Cancer Support, and the Royal British Legion. These institutions were fined because their privacy notices didn’t sufficiently indicate that personal information underwent some wealth analysis process; their aim was to identify people who have the financial resources to donate more money but running these processes without data subjects ran afoul of GDPR.

Conclusion 

GDPR serves as a much needed shield for safeguarding people’s right to privacy.  There are challenges for both businesses and users, but the security of one’s personal data is paramount, and there are benefits to be had for compliant businesses, from improved consumer trust to data security and decision making. Many companies have yet to fully implement this law eighteen months after enforcement began – in some cases this is due to unwillingness to adapt to the new rules, in others simple confusion. Organisations that delay are facing stiff fines and other penalties, and there is a continuing need for professional legal advisors who are up to date on GDPR, and able to advise companies on how to ensure full compliance.

For the latest articles straight to your inbox, you can subscribe for free. Alternatively, follow @KeepCalmTalkLaw on Twitter or Like us on Facebook.

Tagged: Commercial Awareness, Commercial Law, Data Protection, European Union, Privacy Law, The GDPR

Comment / Show Comments (0)

You May Also Be Interested In...

The Biggest Challenges Facing the Legal Profession in 2020

14th Jan 2020 by Peter Lennon

Commercial Awareness: Cybersecurity, Huawei, and the Race to 5G

16th Jul 2019 by Dena Anee

Enhancing Privacy and Data Protection: The GDPR and the Road Ahead

5th Jun 2018 by Dena Anee

A Dose of Privacy? The Impact of GDPR on the NHS

29th May 2018 by Ceylan Simsek

A Stark Warning: Greece, Goldman Sachs and the ‘Swaps Deal’

15th Dec 2017 by Konstantina Litsiou (Guest Author)

Commercial Awareness: The Fortnightly Round-Up (w/b 28th August)

3rd Sep 2017 by Jack Turner

Section Pick May

Coronavirus and Contracts: Is Frustration in Play?

Editors' Pick Image

View More

KCTL News

Keep Calm Talk Law: Moving Forward

3rd Sep 2019

Changing of the Guard: Moving Keep Calm Talk Law Forward

12th Aug 2018

An Anniversary or Two: Four Years of Keep Calm Talk Law

11th Nov 2017

Rising from the Ashes: The Return of Keep Calm Talk Law

18th Nov 2016

Two Years On, Keep Calm Talk Law’s Legacy is Expanding

11th Nov 2015

Twitter

Javascript must be enabled for the Twitter plugin to function. Click below to visit us on Twitter.

Free Email Subscription

Subscribe to Keep Calm Talk Law for email updates, and/or weekly roundups. You can tailor your subscription on activation. Both fields are required.

Your occupation / Career stage is used to tailor your subscription and for readership monitoring.

Uncheck this box if you do not want to receive our monthly newsletter.

By clicking the Subscribe button, you agree to our privacy policy and terms of service. Please ensure you read these in full.

Free Subscription