GDPR at Age 2: Nothing has Changed, yet Everything has Changed

eWEEK SECURITY PERSPECTIVE: Two years after the institution of the EU data privacy regulation that has impacted business globally, some aspects of data protection have improved, while others have not. The jury is still out on the effectiveness of the law.


If you were to believe the lofty ideals of Europe’s General Data Protection Regulation, we’d have entered a world in which our personal information is treated like the valued thing that it is. It would be carefully hidden away, free from the prying eyes of hackers, telemarketers or corporate spies. Every company that has business in the European Union would have a Data Protection Officer, it would know where your data was, it would be able to limit access to that data, or at your request, remove it entirely. Oh, and data breaches would be a thing of the past.

But as we found out in eWEEK’s query to businesses about life after the GDPR, that hasn’t happened. Neither have the other things that pundits suggested might happen. For example, the United States hasn’t followed Europe’s lead and instituted meaningful privacy regulations. While some states, notably California, have privacy laws clearly inspired by the GDPR, those are by no means the norm. And telemarketers are still getting your information and calling you, and every product you’ve ever viewed online is still haunting you in ads and searches years later.

GDPR actually causing some data breaches

We still see data breach reports from companies large and small, including industry giants such as GE, Marriott and Carnival Cruise Lines reporting data breaches. So what’s going on? As it happens, those data breach reports are in many cases because of the GDPR. This isn’t to suggest that the law is causing breaches, but rather that it’s resulting in companies reporting breaches. This same reporting requirement is now raising its head in the U.S., which means that companies that likely wouldn’t have reported a breach in the past are now required to do so.

These GDPR requirements also explain why you’re seeing disclaimers on nearly every website that uses cookies and gives you a chance to agree. Some companies are also telling you what private information they collect and what you can do about it. And some companies and government agencies are making a significant effort to protect your privacy--in some cases impeding the usability of their sites in the process. 

Go to a medical website, something that is now the norm in the face of the COVID-19 coronavirus, and you’ll find that you can’t just do a quick Zoom call with your doctor. Instead, you must first fill out a series of disclaimers and agreements allowing your doctor to discuss your health-care needs. Then you must sign on using a poorly written, frequently poorly functioning web application that may or may not actually connect you with your doctor. Lately, I’ve seen far more video visit attempts devolve into phone calls than I ever thought likely. 

VA exemplary with its web service

Of course there are organizations that handle the whole privacy issue well. The Department of Veterans Affairs, with the help of the U.S. Digital Service, has crafted a functional yet secure website for the support of veterans who receive medical treatment from the Veterans Administration. While the process of accessing the site does involve several steps that are required to make sure that the person accessing a veteran’s medical records really is authorized to do so, it’s clear that the aim of the VA to protect records while making them available is being met. 

Where does the GDPR fit into all of this? After all, the U.S. government isn’t controlled by the European law, and for that matter, it’s not subject to California’s CCPA. What has happened is that in spite of the lack of comprehensive privacy legislation, mainly due to a dysfunctional government, agencies have made it clear that they see the need for privacy practices that meet the requirements of such legislation. 

The same is true for many companies. Faced with demands for privacy in Europe and California and soon other states, large companies, especially those with divisions in Europe, have decided that they will simply apply the requirements companywide. This happened last year when Microsoft announced that it would be applying the GDPR’s privacy requirements across its operations globally. When the CCPA takes full effect, the company will also follow those practices. The reason is that it’s nearly impossible to follow the resulting patchwork of regulations if you try to tailor your response to each locality. Instead, you follow the most strict requirements everywhere.

GDPR will lead the way for the world

And that, ultimately, will be the impact of the GDPR. Even companies with limited business in Europe or California will follow those rules if they can, because it’s simpler and thus cheaper to do it that way. Once you figure out the requirements of those laws, you only need to make sure that your practices meet them both. Then your practices will exceed the requirements of any local regulations. 

This is also what you should expect as you interact with other companies, either as a customer or as a business partner. You will have to deal with a flurry of check boxes and disclaimers, authorization forms and authentications, but they will be mostly the same for everyone. It will be the standard way business is done. The GDPR will simply become part of your routine business practices. And that is its real impact.

Wayne Rash, a former executive editor of eWEEK, is a longtime contributor to our publication and a frequent speaker on business, technology issues and enterprise computing.

Wayne Rash

Wayne Rash

Wayne Rash is a freelance writer and editor with a 35 year history covering technology. He’s a frequent speaker on business, technology issues and enterprise computing. He covers Washington and...