Just a little over a year ago, companies all over the world were still scrambling to update their flows and documents so that the onset of GDPR wouldn’t catch them (completely) unprepared.
The risk of huge fines – up to €10 million or 2% of the annual revenue – and of being reported to local authorities pushed companies to take protecting their users’ data more seriously.
For some, improving their data collection and management practices came naturally, albeit not without a bit of effort. For others, it was the first time they’d ever paid attention to this important aspect of doing business in the digital era.
Over a year later, we can’t help but wonder if GDPR has the expected impact privacy and security advocates hoped it would have. To answer this question, let’s take a look at the data and see which type of progress it indicates.
GDPR awareness is high, but many still don’t know what it is
Earlier this year, the European Commission tasked a special Eurobarometer survey to assess the level of awareness of the GDPR among Europeans, “as well as more general opinions and behaviors relating to data sharing and data protection.”
The survey reveals “the majority (67%) of respondents have heard of GDPR,” but only 36% of them know what it is.
When it comes to practical matters, “almost three quarters (73%) have heard of at least one right guaranteed by GDPR.”
Top 3 most exercised GDPR rights
According to the special Eurobarometer, here’s how many people have heard of the main rights guaranteed to European citizens by GDPR:
65% – The right to access personal data collected by companies or organisations
61% – The right to correct or update that data
59% – The right to object to receiving direct marketing
57% – The right to be forgotten, and have personal data deleted
50% – The transmission of personal data to another entity
Of all the rights protected by GDPR, Europe chose to exercise these most often since the regulation came into force:
Object to receiving direct marketing – 24%
Access to personal data – 18%
Correct personal data if it is wrong – 16%.
How GDPR awareness impacts online behavior
The General Data Protection Regulation wasn’t just meant to give governments the means to enforce data security rules. Another key objective was to change how both companies and users behave when it comes to ensuring personal data remains private and protected.
In this sense, GDPR seems to have had the desired impact. The Eurobarometer data shows that 65% of people “who provide personal information online feel they have at least some control over this information.”
Another interesting fact the data shows is that users may have moved some of their own responsibility to GDPR enforcers. Two indicators led to this observation:
“Respondents are less likely to read privacy statements than they were in 2015 (-7 percentage points)
“17% say it is enough for them to see the website has a privacy policy” so they choose not to read the document at all.
A similar behavior pattern emerges when dealing with social media usage.
Less users – 56% in 2019 vs 60% in 2015 – actually change their privacy settings for their personal profile.
The three most common reasons social network users give for not trying to change their personal profile’s default settings are that they trust the sites to set appropriate privacy settings (29%) that they do not know how to (27%), or that they are not worried about sharing their personal data (20%).
Overall, the concern for personal data protection and privacy seems to have decreased, which leaves an even bigger gap to fill for privacy and security advocates.
Respondents who feel they have partial or no control over the information they provide online were asked how concerned they were about this. Overall 62% say they are concerned, with 16% ‘very concerned.’ Almost four in ten (37%) say they are not concerned, with 6% saying they are ‘not at all concerned.’
The emotional distance between internet users and their data directly correlated with disengagement when it comes to exercising their rights to data protection and privacy.
GDPR fines so far
While many users are still oblivious to the real-world dangers their unprotected data could expose them to, authorities tasked with enforcing GDPR rules are responding to complaints.
The European Data Protection Board stated that:
The total number of cases reported by SAs from 31 EEA countries is 206.326.
Three different types of cases can be distinguished, namely cases based on complaints, cases based on data breach notifications and other types of cases. The majority of the cases are related to complaints, notably 94.622 while 64.684 were initiated on the basis of data breach notification by the controller.
European Data Protection Board
The good news is that 52% of these reports have already been closed.
Until mid-March 2019, authorities in EU countries issued fines up to 55,955,871 EUR. The biggest chunk was the 50 million EUR fine the National Data Protection Commission in France slammed Google with in January 2019.
In June 2019 in Spain, the AEPD (Agencia Espanola Proteccion Datos) fined LaLiga, the national football premier league, with 250,000 EUR for infringing on their users’ privacy and collecting data by remotely activating their smartphone’s microphones without their knowledge.
The privacy regulator in Poland fined a company over £187,000 for breaking GDPR provisions because it was scraping public data and using it for commercial purposes without notifying consumers.
What’s more, the Swedish data protection authority (Datainspektionen) launched a review of Spotify’s practices when it comes to handling requests from users who want to see what information the company has about them. Spotify is suspected to be unable to properly handle these requests, which is one of the processes made mandatory through GDPR.
More visibility over data protection practices but a long road ahead
While these GDPR statistics show that there’s been a good amount of progress over the past year, the larger landscape of privacy invasions and cybercriminal tactics calls for determined focus to make privacy and security the main concern.
While authorities may be able to force companies to strengthen their processes and technological defenses (especially against data breaches), they cannot do the same for end-users.
Making the same concerns a priority for regular internet users requires a sustained educational effort that will form an emotional bond between users and their personal data.
Constantly bringing topics like data breaches, online fraud, or identity theft to their attention will certainly help bridge the gap between sharing their data on the internet and what can happen if it gets leaked.
We will continue to keep an eye on GDPR and how it works for European companies and citizens and beyond.
About the Author: Andra Zaharia
With 6 years of experience in cybersecurity, Andra focuses on using her communication skills to educate people around the world on the fundamental importance of data safety and privacy.
