2 years of GDPR: What have we learned?

The 25th of May marks 2 years since the implementation of GDPR in the European Union. There were two challenging years for both companies and Data Protection Officers (DPOs) and consultants. We wanted to know how challenging it was for people working in the field, so we asked five specialists in data protection to describe this interval from a professional perspective. And this is what we found out.

Bogdan Manolea, a legal expert, summarizes it as “Two rather complicated years. On one hand, who believed that after 25th of May 2018 the world will end and a new era will begin in data protection, might feel a bit disappointed by a heavy system, with a long way from theory to practice. Also, the enforcement process underlines the various limits (human, financial, technical knowledge) of authorities and, at the same time, a lack of planning. On the other hand, who believed that after the 25th of May 2018 nothing will happen, might feel disappointed as well. Companies were fined, even small ones. Authorities seem to be more determined now than before to apply the legislation, and the topic of GDPR gained more visibility”.

In fact, as Bogdan Manolea suggests the most important gain for the industry might be precisely the fact that everyone involved in digital business knows about GDPR.

Serban Popa, GDPR consultant at Unity Solutions identified some characteristics of the period that followed the 25th of May 2018: “A certain lack of understanding, especially from people responsible in entities operating with personal data, and a variety of ambiguous compliance solutions provided by a large array of specialists, lacking both expertise and experience”.

In the next months – he remembers – “Big companies started to run complex analysis processes. And, after more than a year, the authority started to impose corrective measures, sanctions, and fines, and operators finally understood that we have a new supervisory authority, similar to the one activating in the Competition area. Also, important clarifications from EDPB and western DPAs became available”.

For Raluca Puscas, Partner at Filip & Company, “The most visible effect is probably the increase of awareness, at both organizational and individual level, of the aspects related to data protection. GDPR became part of the conversation when topics like internet data security, marketing campaigns, e-commerce, remote work, or measures applied during emergency occur”. She believes that, consequently, big operators become more responsible, by revising existing policies and investing in compliance programs.

Raluca Puscas underlines another important aspect: “Within this continuous process, operators reached important milestones, like making the processing operations more transparent through communicating privacy policies and adequate information notes or implementing the mechanisms of exercising data subjects’ rights. She also notices the rose of “The concern for ensuring data security,  data loss prevention and of incorporating the privacy requirements in the activity areas or the new products that companies want to develop”.

For Stefan Iancu, GDPR Consultant at iPrivacy, this period meant “An increase in attention for data protection within and outside Europe, as many countries are interested in implement similar legislation. Even though the majority of operators were not as prepared as expected – a fact demonstrated by the large number (over 270) fines applied in Europe, a big part of them proactively continue their efforts to obtaining and maintaining GDPR compliance”.  

In his opinion, “The number of fines is relatively small compared to the number of complaints and the amount tends to reach the minimum level, reported to companies’ turnover. For example, the biggest fine applied to British Airways – 204,600,000 EUR – only represents 1,5% of the operator’s turnover”.

Roxana Mitroi, Attorney at Law at bpv GRIGORESCU STEFANICA notices “A growing trend of data protection aware”. As the legislation applies to all kinds of companies, both local and international, this trend is observable in all organizations. She adds that “Some industries are obviously more exposed than others, mostly through the large volume of personal data processed or through the complexity of processing operations”.  

According to Roxana Mitroi, „The main players understood the GDPR norms cannot be avoided by contractual workarounds that assign responsibility to third parties, to data subjects or even remove their own liability. Therefore, because some companies became rapidly aware of the strong negative impact of losing, deleting or stealing of personal data, they started their journey to obtaining GDPR compliance in advance, even before May 25th 2018 moment. Also, after two years since this moment, hard work in this area is visible. This hard work refers to post-implementation moments, due to processing flows and activities that may undergo changes over time”.

For Marius Dumitrescu, Data Management and GDPR Compliance Solutions Specialist, “GDPR is not a revolution, but an evolution!”. According to him, “Two years ago, GDPR entered our lives through a boom of consent requirements, solicited by operators willingly to quickly comply with new GDPR regulations. Unfortunately, even today, there are operators using consent as a legal basis in processing subjects’ health data, which makes me conclude that DPOs’ suggestions and recommendations are not followed yet and the DPO is not involved in management’s decisions”.

Marius Dumitrescu also notices that during the last two years, “Many consultancy companies used panic as a selling strategy, using deceiving marketing instead of endorsing the need for real training of personnel for raising the awareness. We can still see the consequences of marketing campaigns, from two years ago, promoting formal GDPR compliance without the services of a specialized DPO or consultant”.     

Marta Popa, Senior Partner at Voicu si Filipescu SCA, notices: “The General Data Privacy Regulation (GDPR) was the Year2k in data privacy, not only in Europe, but worldwide. Organizations around the world scrambled to comply with it, fearing very onerous consequences for noncompliance. But the GDPR language is very high-level, and often vague, so compliance in many cases has been a guessing game for many entities, public or private. We must expect that there will be further legislation in the data protection arena including the E-Privacy Regulation and we will see increased enforcement and impact, including application of significant fines and penalties. We may also expect that Brexit will impact obligations under GDPR for some companies. Other future concerns include health data processing guidelines in the context of COVID-19, Artificial Intelligence (AI) and liability of robots”.

Marta Popa concludes that: “Two years of GDPR have definitely brought many benefits for organizations. In the first place, GDPR has brought better data hygiene and data management. Secondly, data privacy and protection has been brought to board level, which is a major positive impact. And thirdly, entities investing in privacy compliance benefitted from increased trust from their customers and business partners”.

This article is the first in a four-part series, aiming to show a detailed image of the local GDPR landscape, two years after May 25th, 2018 moment. In the next part, the specialists we interviewed will discuss the main challenge they faced during this time. 

Related articles:

• 2 years of GDPR: Which was the most important lesson that companies and data protection specialists learned
• 2 years of GDPR: Which was the biggest challenge for data protection specialists?
• 2 years of GDPR: What was the biggest challenge for companies

Image by Pete Linforth from Pixabay