Wherever you go on the web, it feels like privacy notices and cookie consent banners are inescapable since the General Data Protection Regulation (GDPR) went into effect in 2018.
Hailed as a watershed moment for online privacy, the GDPR has brought burgeoning privacy issues to the fore and attempted to solve them through some of the strictest data privacy regulations seen globally. Just two years on, however, many argue that the laws have actually fuelled frustration and indifference around online privacy — both from the businesses required to comply and from consumers themselves.
In this article, we’ll cover the pros and cons of the GDPR and how small businesses can adapt going forward.
One of the most immediate positive impacts of the GDPR has been increased accountability amongst and legal action against companies that engage in deceptive privacy practices. To date, many large companies like Google and Facebook have been fined millions of dollars for data breaches and failure to properly disclose how customer data is tracked, used, and stored.
To prevent and mitigate future privacy violations, the GDPR introduced a series of compliance requirements that organisations must follow, such as getting explicit consent from users prior to collecting and using their data. Businesses will also need to recognise and inform users of their “data rights”. For example, users now have the right to request the deletion of their data and access any information a business has about them.
Additionally, these changes have been underpinned by improved cybersecurity standards set out by the GDPR. According to a 2019 survey by software company Egress, 93% of US-based IT decision-makers stated that they’d taken action to improve and adapt their data security practices in compliance with laws such as the GDPR.
The laws are not without their own shortcomings, however, despite these early successes.
For many businesses, getting compliant can be costly and time-consuming. Aside from being an exceptionally long text to read, some sections of the GDPR have been decried as too vague. This has compelled some businesses to hire expensive lawyers to sift through the regulation, while leaving others to navigate it all by themselves and risk noncompliance.
Additionally, the requirement for some companies to appoint a Data Protection Officer, overhaul their data handling practices and cybersecurity puts smaller businesses with smaller budgets at a much greater disadvantage.
And of course, for consumers, the repeated requests for consent and lengthy privacy statements have inevitably led to widespread annoyance and opt-in fatigue. Unfortunately, the GDPR’s attempts to increase transparency and enforce strict conditions for consent have in some cases manifested as intrusive pop-ups and sneaky tactics to collect user consent from data brokers and unscrupulous online marketers.
Yet still, although the GDPR’s presence in today’s digital world isn’t perfect by any stretch, it has proven to be a driving force for better data privacy regulation worldwide and has generated significant awareness around the risks of sharing one’s personal data online.
For most small businesses, getting GDPR compliant doesn’t have to be complicated.
As a general principle, the GDPR recommends that businesses should only collect people’s data when necessary, and keep data privacy considerations at the forefront when designing a website or app. Making this the cornerstone of your approach can save your business a lot of trouble in managing user consent and protecting people’s data down the track.