For a long time, technology has transformed our business environment in different ways nobody could have imagined so. GDPR, as a renovation of the privacy rules, was not also needed but “mandatory”. GDPR is a landmark in the EU legal history since some of its objectives are modernizing the privacy legal system in order to protect personal data in a world that is always one-step ahead.
Based on my Spanish privacy legislation knowledge, because we are lucky for living in a privacy hard-protected environment, GDPR implies a significant change in the industry, but neither a complete revolution nor apocalypse. The main challenges GDPR faced after its development and approval were the modernization of the legal system, the enforcement of the citizen’s individual rights and the harmonization of the data protection rules throughout the whole European Union. All these challenges are an evolution and an opportunity for organizations, both, established or not, in the EU territory to improve their internal organization, their communication, the customer and provider relationship, and even the employees learning about how to deal with personal data in their positions.
One of the most relevant changes of GDPR is the accountability principle, which means companies must not only comply with the rule, but also be able to prove it. In some way, this principle is reinforced with the withdrawal of the catalogue of security measures settled by RLOPD and the possible need to develop the “Risk Assessments” process established in RGPD which requires that companies takes a risk based approach that contemplates the rights of all data subjects. This will make that customers and/or consumers will feel more comfortable sharing their data with organizations that can prove their commitment to privacy, giving customers all the information they need to understand the processing of their data and asking for their explicit consent, if necessary.
A DMA research shows that the majority of consumers feel more comfortable sharing their personal data since GDPR came into force and, unexpectedly, they prefer to receive personalized marketing.In other words, they would give their consent to profiling actions, if that means the avoidance of irrelevant communications.
In conclusion, GDPR could be a great opportunity for companies to create a better relationship and engagement with their clients, as the transparency and diligence of a company increases the loyalty and trust of their clients.
Furthermore, we cannot ignore that GDPR could be substantially modified, or even derogated, in the near future. A recent IBM survey about the transformational power of GDPR shows that a great amount of companies are worried about that fact.
From my point of view, we all should be careful taking into consideration that the efforts to unify all the European privacy regulations has taken many years of negotiations which means, in the words of José Luis Zimmermann, ADigital General Director, that “In that time many things have happened, new business models have emerged, new uses of the date, numerous innovations and the citizen´s perception has changed. GDPR It is therefore a law that from the moment it came into force, it seems, in part, obsolete”,
Increasing the complexity of this issue, other regulations, as E-Privacy Directive, will require an “update” to align their content with the new legal provisions established in the GDPR. So, if companies though GDPR was a “strict law”, E-Privacy Regulation project is even stricter but necessary. Although some organizations, in concrete, the Developers Alliance, a trade group representing among others companies as Facebook and Google, said it could cost more than 550 billion euros to Europe businesses , or Digital Europe, which said the legislation’s prohibitive approach “seriously underminesthe development of Europe’s digital economy”, the new Directive will try to settle the principles of a new digital scenario in which companies will obtain the citizens´ explicit consent before placing tracking tools on their devices or collecting data through their communications, which means that in a short term, the rules for all the players in this market will have changed, forcing EU and Member States governments and companies to find a common strategy to confront the new privacy rules.
Information previously explained shows that, the GDPR and all the regulations that come after involve a change in how organizations deal with the processing of the personal data. As a result, all the players (governments, companies, consultants, and even users) should pay attention to how things evolve in terms of privacy, because both, privacy and technology, are constantly evolving. Further as time passes, users not only will become conscious about their rights, but they will also be more demanding about who wants their data and how they are going to process it. Consequently, I honestly consider that all of us, as users will choose the company which could prove their implication and diligence.