How are companies, consumers and authorities taking the new regulation?
KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
How are companies, consumers and authorities taking the new regulation?
How are companies, consumers and authorities taking the new regulation?
Hello, I'm Frank Twan and I love this presentation template. There's gonna be credits at the end so you can use it. I'm the co-founder of fresh compliance. And my other founder sits there. That's Phillip and we had a workshop together here that was a bit more practical. So don't worry. It won't be too theoretical today, but we want to give you an I hope, I hope you can read it and overview of GDPR so far.
So the first five months of GDPR and yeah, what happened so far because we've been involved in now a little bit over 100 GDPR projects, I think 106 or seven, and yeah, GDPR has become effective on 25th of May, as you might have already heard, or as you might already know, and this came after two years of implementation phase. So all the other privacy laws that you might have heard of, and yeah, that, that you might have heard of this year, like the Brazilian one or the one from the United States and California, the California consumer privacy act, they usually come with a implementation phase.
So the, they become active or effective after these two years of implementation. And the effective date of the GDPR was the 25th of May.
And yeah, we think it's the forest reaching privacy regulation in the world. And not only we think there's, I think it's common understanding because there has never been digital law or a privacy or security law that affected so many countries in the world because this law does not only affect Germany or France or Italy, but affects all 28 member states of the European union. And the cool thing about a regulation, like the GDP that it becomes effective in all 28 member states immediately. So we don't actually have to implement a national law or something like this to yeah.
To, to regulate this on a national level in the current member states, but it becomes effective immediately. So what has changed since this date? 25th of May? Yeah. This could probably be a quote from you or people, you know of I'm so annoyed by all these information emails from updated privacy policies and yeah. Other privacy relevant processes where companies decided to send you, or sometimes spam, you spam your inbox with those notification emails that something has changed with regards to GDPR.
And we think, but that's only our opinion because of course it's always, it depends on a per business use case. And in some cases, this might be justified to send out those emails. But we think in most of those cases, the companies wouldn't have need to send out those emails. But from our understanding, also many of our clients told us they just did it because all the other companies did it. So because they were worried that the customers might think, Hey, don't, aren't they on track with GDPR because I'm not getting a privacy email, but I don't know, ask yourself.
I actually appreciated those companies or those online tools and services who didn't send me one of those really times nervewracking privacy update emails. And yeah, we also saw a high increase of web cookie banners and consent banners, consent trackers. You've probably seen something like this where you basically have to click accept. I agree. I agree with, yeah, whatever tracking, tracking me on your website.
And yeah, at the same time, there was a, a decrease insert party trackers. So this is correlated to the consent form. So correlated to the cookie banners where they ask you, if you accrue with them having third party cookies on their website, having tracker plugins and stuff like that, implemented on their website to personalize ads and basically to yeah. Further or increase the data silos by Google and Facebook and all the other big, big tracking companies and looking at all the top 2000 domains, we can see that there has been, I think the biggest decrease and news and news Porwal.
So you've probably heard of the Los Angeles times. I, I think it was that yeah, basically restricted access to all their customers from, from the European union. So you could really see a decrease in those third party trackers on certain websites or certain categories of websites. But this one, this chart only goes from April to July, 2018, and this was the best data driven or the best data that I could find it's from, from whores.me. And they provide all these yeah. All that data regarding trackers. And they have all the trackers in, in their system.
And the most famous ones of course are the biggest ones. The biggest, let's say the, the biggest tracker networks, where do they come from from Google and Facebook, but there are also some other names. And when you take a look at those names of those trackers, you've probably never heard of them. So we have to ask if those, you know, those consent forms, those cookie forms on the websites, if they really ask you for a consent, because some of them just say, Hey, okay, I got it. I got the message. I've read your privacy policy, something like this.
But if they actually ask you for a consent, you have to ask yourself if it's a transparent and fair consent, if, if they include trackers that you've never heard of. So yeah, heavily discussed in, in many jurisdictions right now, then there was also since 25th of May, there was also a big increase in, in complaints, not just from consumers or your end customers, but also from businesses because complaints towards supervisory authorities do not only come from customers from, from your consumers, but also from other, from other companies, for example, from your competition.
So we've seen an increase of yeah, around plus 50% at the minimum level in most, or almost all jurisdictions in the European union. So some of you might say, Hey, I've read in local news that there has been, I don't know, an increase of 500% compared to the, to the last year to compared to 2017 or 2016. That's true. But we try to look at a median here because I think there are many, many countries where privacy law is really new.
For example, I think in Romania and also in, yeah, in the jurisdiction, this is something where they don't really have experience with that kind of law and also with all the reporting obligations. So plus 50% is already quite high. And to give you an example, some authorities are totally over the limit since 25th of May, for example, the German supervisory authority. And I think, I hope some of you can agree of have some further information. I think the same goes for the France authorities and also the Italian authorities, the ones in Spain.
So most of them who already had some kind of privacy law in place before, because some of them had those re reporting obligations before wind of change or wind of GDPR. So from an organizational impact side, 60% before said that GDPR has significantly changed their organization's workflows.
Of course, that means something like the reporting obligations that I just mentioned. Many companies had to improve their workflows. Some companies had to implement reporting obligations or reporting processes because if, if they didn't have ISO 27 or something like this in place, they didn't have any kind of reporting structure. So they didn't even know how to handle all these requests that are coming in now and data breach reporting that goes hand in hand. If you have a data breach, you have to report it within 72 hours of careful becoming aware of it.
So many people tell you, you have to report any data breach within 72 hours, but it actually states in the law and also in the recitals that you have to report it within 72 hours becoming aware of it.
So that's really important if you have a yeah, quite extensive external party management in place and have many sub-process and suppliers because the lawmakers already had in mind that in this interconnected globalized world, there are so many sub-process that you are basically in parts responsible of that it will become really hard to report all these potentially endless data breaches within 72 hours. So you have to look at this on a more level. And of course the consumer awareness has changed, but I didn't, we didn't want just to give you some stats on the European union.
I think it's really interesting because I think we all know the consumer awareness here is quite high in the European union. Like I said before, many of them had privacy loss before.
So, but we also saw an increase on the international stage, for example, in a survey from John Ryan, 69% of American consumer serve, it said that they would prefer privacy laws like the GDPR. So there you can see probably one of the reasons why the PRI Californian consumer privacy act is so closely related to GDPR. So you can actually find mappings right now that map the GDPR to these other privacy regulations.
And yeah, many, many of them them go hand, hand in hand implementing the law. I think this will be interesting for some of the, some of you. And unfortunately he, he didn't, yeah. Didn't compile the uni code in the right way. So you won't see the little flex that I put put behind the country names, but just to give you an overview on, on the, on the national stages, because like I said before, GDPR is immediately effective after 20 fifths of may in all European member states. So the country's actually, they don't have to do anything.
You know, the law is there and they have to, to follow the regulation. They have to follow those 72 hour reporting requirements. And of course the requirements for data portability and all, all the other relevant regulatory requirements, but still there are many classes that give the individual member states some freedom to choose how they want to implement it. And that's why many countries are passing GDPR legislation in their jurisdiction.
And here you can say, see, on the left side, all the countries that already passed GDPR legislation and on the right side, those countries that didn't sign the law yet or where didn't come effective, where they just drafted some, some kind of yeah. Non, non final non final legislation. And I think now it's really interesting to say, to see these numbers are from, I, I think they're from, from September.
So this, this should be yeah, very up to date, hopefully. And because a few month back, I think you had like three or four countries that were still on the, on the draft status. So many countries have passed a GDPR legislation within the EU now of these EU member countries. So it's funny behind United Kingdom. It actually put the little guy with, with the head there and instead of the flag. So that worked and yeah, then the question beyond EU. So what's beyond the European union. And as I said before, GDPR is kind of a best practice and many countries yeah.
Decided, decided to take GDPR as a best practice approach to implement something similar, to implement similar privacy laws into law. And I said, many countries, I know there are not many on there, but you can, you can look for, for all the, for the very good references from, from ER and, and other institutions, they provide quite extensive lists. And I only put Brazilian California here because I think these are the yeah.
Closest to GDPR approaches that, that we have yet, because there are many other countries who have signed something similar into law, similar to the GDPR, but it's only similar. And, and those two, like the Brazilian one and also the, the California one, they are almost similar to the GDPR. And I know some will disagree and will say, Hey, the fines are not the same and it's on a totally different level. But if you take a closer look at the structure and all the regulations, then you will see that it's yeah. Closely interwoven with the, with the GDPR.
So I think that's, that's really interesting that we have, yeah. That we have countries that might follow the European union on that. And hopefully it'll, that will be more of them in the future. That doesn't mean that I agree with all points from, from the GDPR, but I still think it's, yeah, it's, it's, it's a best practice approach because it definitely tackles the, the right questions. And I also gotta say that some of the requirements that they took, like, for example, in the California consumer privacy act and that's, and that's the thing with the best practice approach.
I, I think they are, they are improving from what we already have. For example, if you take a look at the, at the definitions of the California's consumer privacy act, I think their definition of what constitutes personal data is a bit more clear than the definition from, from the EU and from the GDPR. So this is something where we can all improve. And I think the lawmakers on EU level, and of course also on a national level and many tourist restrictions are already working on improvements for, for the GDPR. So this is something where they, where they can work with yeah.
Work together on hopefully also on a, on an international level. But as we see, it's really hard to, to agree on an international level. And it's already hard on, on an EU level, but from what we we've seen so far, yeah.
It looks, looks quite good. And also for the fifth months of the status quo for the implementation, from the companies that we've seen, they definitely matured from may or from before that, because it always depends where our clients are from, because if they're from, let's say Germany or Austria, they already had quite strict privacy laws in place. So of course it's easier for them to implement all these new requirements from, from GDPR or even go beyond them because they are probably in many cases above, above the required maturity level.
So yeah, I hope that wasn't too fast. Thank you very much. I think we, I don't know if you still have time for some questions. Yes. We do have some time for some questions. Are there any questions in the room? Otherwise I stop, you have Questions for the, some country in the institution. Other country in Europe are still on a condition that is Implementation or yeah. Although the, the line was made still that they still have to compete to the legislation. Yes. Yeah. So that's with everything GDPR related, everyone's too late. The countries are, I mean, the countries are too late.
The companies are too late. So you're absolutely right with that question.
How, how that goes in line with the requirements of the GDPR. I mean, it's the regulation and they were, were supposed to, you know, have something in place on that date, but yeah, countries are too late. Companies are too late and the supervisory authorities are also too late because they also had some obligations like providing lists for data privacy impact assessment.
And yeah, it took them some time to, to finish all of that. So I think it's only fair that some countries now take a bit longer, but as I said before, keep in mind, GDPR is already effective in all of those countries. So even if I haven't passed a local or national implementation law, most of these requirements from the GDPR are applicable or actually all of the requirements are applicable, but some of them who are a bit who are a bit more broad and, you know, require some kind of interpretation. Yeah.
Then it might be a bit harder for those countries to implement because they don't, you know, took the time to interpret this in some, in times a bit more broad law. Okay. Any other questions otherwise I would ask, of course the obvious question is there, did I? Yep. Will the authorities will go to the companies and verify whether the, the project are G GDPR compliant or not, or will they wait till something happened To be honest right now they wait until something happens.
Because as I said, most authorities are just at capacity or capacity when it comes to all the, you know, obligations and the requests from customers and companies. So right now, definitely they they'll wait UN until something will happen. But in the future, depending for example, also which sector you are in there might also be, you know, act more active engagement from the supervis advisory authorities.
But looking on the, on, on purely a GDPR requirement site, they will come at you as soon as a customer complaints or competition complaints, or if something is in the media, like the Facebook scandal with Cambridge Analytica, you know, that doesn't have to be anyone. I mean, you probably all seen those pictures in the media where the ICO with cool check, its, you know, visited the offices of Cambridge Analytica. So there are some special cases, but in most cases I think they will come after someone complained. Okay. Maybe one final question.
Everybody was waiting for these very large fines hitting these large companies. And, and as far as I've read the news, it hasn't happened yet. It hasn't happened. What do you think is the reason for that? That was big that everybody had in mind, I don't give names, but, but why didn't that happen?
Yeah, so I, I think like the big ones, there are still some ongoing court cases for the big ones, like Facebook, WhatsApp and you know, Cambridge Analytica. But I think a few days before, a few days ago, Cambridge Analytica, I think there was a fine now with something like 500,000 pounds, but correct me if I'm wrong.
So, but yeah, these are not the high fines that many people were expecting when we were talking of GDPR and how crazy it will be, you know, and finds up to 20 millions or I think 4% of the, of the yearly month monthly turn out, you know? And so yeah, nothing like this has happened. There has been a few smaller cases, but I think you won't see anything with the big companies because they are involved in actual court cases right now. And those cases are ongoing.
So I, I think you will have to wait until next year there might be first some higher fines and yeah. But right now we, the maximum that we'll see will be something like in Portugal, we had those final, I think 400,000 euros for a hospital, you know, where they didn't have some kind of authorization concept. So probably very interesting for consumer identity world as well, because I talked to some people here on, you know, and on author authorization practices and stuff like that and on the technical stuff and yeah, they didn't have anything in place so everyone could access everything.
So, you know, some, I don't know some technical guy or the reception, they, they could just access all the data, also all the patient data and health data. So I, I think those cases, some might come up within the next few months, but it it'll always be in that range. So let's wait for, for next year when some of those court cases are matured and then we'll probably see higher fines. Great. Thank you.
Thank you, Frank one.