25 May 2020, is the second anniversary of the application of Europe's strengthened data protection rules, the General Data Protection Regulation, widely known as the GDPR.

Happy second Birthday GDPR! ??

But how successful has the GDPR been?

Has it failed in its attempt to establish an appropriate balance between organisational obligations and individuals’ rights? Is it toothless and ineffective? Or has it at least succeeded in raising issues of privacy and personal data protection higher up the agenda?

The failings of GDPR

The most common criticism of the GDPR that get it accused of ‘failing’ is that regulators are failing to enforce it against businesses so instead it is left for private actions to take any actions through the courts. This apparent paralysis of regulators varies by country with the UK and EIRE coming under greater such criticism than mainland Europe.

The GDPR is also accused of backfiring and creating damage in cases where organisations actually hide behind it as a privacy law giving them a reason for non-disclosure of data rather than as a data protection law governing how it should work.

10 benefits of GDPR

But what of the positive outcomes of GDPR? Here are ten:

1. Awareness

GDPR has raised the awareness of privacy and data protection as a whole. Not so long ago the topic had little awareness among consumers but was also given little attention within businesses. Now data and privacy have a ‘seat at the table’ in business. The conversation about data protection and rights has become mainstream. Would there have been as much debate around contact-tracing apps for COVID-19 if GDPR had not raised the awareness around digital privacy so much?

2. Return on Investment

A focus on privacy pays. According to Cisco’s latest 2020 benchmarking study (From Privacy to Profit: Achieving Positive Returns on Privacy Investments, Cisco Data Privacy Benchmark Study 2020) more than 40% of organisations are seeing benefits at least twice that of their privacy spend. And the trend is on the up: the percentage of organizations saying they receive significant business benefits from privacy (e.g., operational efficiency, agility, and innovation) has grown to over 70%.

3. Accountability

Despite accusations of poor enforcement by regulators, even the threat of enforcement action and fines has forced data protection and privacy up the management agenda and made businesses aware of their accountability. Not just the threat of fines but change orders, stop orders, audits, investigations, reputational damage – all have forced businesses to be more accountable when it comes to data and privacy.

4. Transparency

It used to be that we had to agree to unintelligible legal contracts written by lawyers. GDPR has created greater transparency for individuals by separating privacy statements from the legalese and making them clearer and more readable.

5. Culture change

GDPR may have forced some organisations to begrudgingly confront how they handle data and privacy but, in the process, many have come to embrace better practices as part of their culture.  Not only has there been a stronger cultural adoption of privacy principles but increasingly companies are staking their brand on privacy as a differentiator.

6. Clarity in data management

GDPR has also forced organisations into a better understanding of where all their data actually is, how it is collected, processed and stored. It has made them improve their management of information to be more proactive. This has delivered other benefits around efficiency and security for example.

7. Individual empowerment

GDPR has forced organisations to provide better tools for individuals to manage their personal data and protect their rights.

8. Regulatory alignment

Brexit notwithstanding, the GDPR is helpful in providing a single regulatory framework that applies across the whole of the EU and has a set a standard that is being adopted by other jurisdictions around the world. They, however, are still more fragmented and less aligned across countries.

9. Innovation & creativity

GDPR has forced organisations to look at how they behave and operate with personal data. It has forced them to rethink how they do things for the better. They have had to think hard about the exchange of value and trust needed to continue to persuade customers and prospects to give their consent and data. This rethinking has driven innovation and creativity.

10. Tech for good

Whilst the big platforms and players continue to dominant the digital landscape there is a burgeoning ecosystem of smaller players who espouse ‘ethical tech’, ‘responsible tech’, or ‘tech for good’. For many, a focus on privacy and data protection is core to their propositions so GDPR is a big help.

GDPR as world-class and of enduring global influence?

To mark the occasion of the GDPR’s second anniversary,  the European Commission’s Věra Jourová, Vice-President for Values and Transparency, and Didier Reynders, Commissioner for Justice, stated: “Within two years, these rules have not only shaped the way we deal with our personal data in Europe, but has also become a reference point at global level on privacy. The GDPR has changed the landscape in Europe and beyond.”

They have a point. GDPR may have changed marketing forever among other things. Brands and marketers now talk much more about user-centricity and the fair exchange of data. Brands are seeking to differentiate around ‘privacy by design’. Advertising online has changed forever with 3rdparty cookies being blocked by default by all the major browsers – arguably another legacy of the GDPR. And GDPR has clearly influenced similar legislation around the world, like CCPA in the USA.

GDPR is about data protection but it has emboldened competition authorities more broadly. It has also acted as a unifying and directional force on adjacent areas of legislation like KYC (Know Your Customer), AML (Anti Money Laundering) and Modern Slavery.

Issues of privacy and personal data protection are, of course, more topical than ever. As the EC says:

In the context of the coronavirus pandemic, now, more than ever, citizens must be sure that their personal data are well protected. Tracing apps can only become an effective and widely used tool to support the recovery from the pandemic when citizens trust that their privacy is safeguarded. In this respect, the GDPR and EU privacy rules play a vital role.

Some of the world’s biggest and most valuable companies, like Google and Apple, those influencing our society and economy and shaping our futures, have increasingly embraced privacy by design principles in their products and services. Is this a legacy partly due to GDPR?

But what has the GDPR ever done for us?

But apart from:

  • Awareness
  • Transparency
  • Accountability
  • Culture change
  • Clarity in data management
  • Individual empowerment
  • Regulatory alignment
  • Innovation and creativity
  • Driving 'tech for good'
  • Changing marketing forever
  • Influencing legislation all around the world
  • Influencing the direction of the world’s most powerful organisations
  • Providing a framework for trustworthy innovation

    ....what has the GDPR ever done for us?!

With thanks to Abigail Dubiniecki and the members of her Privtech Nation community, including Aurélie Pols (DPO, mParticle), Ralph O’Brien (Principal, REINBO Consulting), Tony Sheppard (Head of Services, GDPR in Schools), for their ideas and input to this article.