A huge cyber-attack or data breach that cripples online activity is regularly listed as a major risk to global economic security, along with the physical risks of climate change and geopolitical conflict. Since British mathematician Clive Humby declared in 2006 that data is the oil of the 21st century, it has slowly dawned on governments, regulators, and companies that they have been sitting on goldmines for decades.

Along with this has come the realisation of the need to better protect this wealth of information. Enter the European Union’s General Data Protection Regulation (GDPR): a landmark 88-page piece of legislation that put data privacy and individuals’ rights on the map, introducing previously foreign concepts such as ‘the right to be forgotten’ to millions.

The overall thinking is not brand new – it is based on the 1995 Data Protection Directive, which is itself based on legal principles that have been in place since the 1970s. What’s different is the meaning of consent, and a clarification of the rights of individuals.

And if the measurement of success is awareness-raising among the general population, the GDPR has been remarkably successful: according to a 2019 (just a year after its implementation) study by Eurobarometer, nearly three in four people living in Europe were aware of at least some of their rights under the framework.

“GDPR has really popularised the sense of control, and its broad applicability is what makes it so impactful – it’s created a common language,” says Andrew Clearwater, chief trust officer at Atlanta-headquartered privacy management software service OneTrust. “Now you have millions of people with a broad expectation of what their rights are and how their data will be handled.”

One misnomer: while most of us learnt about it from the hundreds of ‘can we still contact you?’ emails from every company we’ve ever bought clothes or an appliance from, that was actually a separate law governing digital communications – the GDPR just tightened the meaning of consent for various pieces of legislation. The data protection rules themselves are more focused on how companies manage and store the personal data of individuals.

Not knowing how to answer a question on GDPR makes a company significantly less desirable to work with

“If I’d spoken to someone about what I do pre-2018 their eyes would glaze over – now they still might, but they will have at least heard of the GDPR,” says Jonathan Baines, chair of the National Association of Data Protection Officers in London (NADPO). “There is no business out there that does not process the personal data of individuals in some way – even a one-man building company has customers.”

And while it was the potential for huge, headline-grabbing fines that initially captured the attention of senior management teams, data privacy experts say it is this awareness-raising that has contributed the most to the law’s ongoing legacy. “While companies could respond by doing the bare minimum, for most, that new awareness has had a much bigger impact than a potential fine might,” adds Clearwater. “It means the bare minimum is just not enough compared to your competitors. Most have been forward thinking about helping their customers exercise their control.”

Measuring success
Determining the success of any legal framework is difficult and depends on its stated aims. For starters, it certainly seeks to address an existing problem. A common criticism of regulations is that they only solve past causes of crises and will not prevent future ones. But cybersecurity and companies’ handling of personal data is highly sensitive, and while the GDPR is about more than cybersecurity, a personal data breach that leaves customers open to hacking is likely to carry its most severe penalty.

“The concept of accountability is so important,” says Clearwater. Companies are required to maintain reams of internal evidence as proof of their compliance with the law. “That isn’t being broadcast endlessly, but it has to be there. And that creates this iceberg effect where users see a couple of small changes when they use a website, but below the surface, there are potentially hundreds of people engaging with records processing or vendor relationships in much better ways than in the past.”

From the earliest stages of product development to the way internal recruiters manage their databases, individuals at all levels and in all departments are expected to consider data privacy, says Edward Starkie, senior vice president of cybersecurity at risk consultancy Kroll. The intention was baking in “privacy by design” across every department of an organisation, he explains.

And while a whole new sector of privacy experts and firms purporting to be a one-stop-shop on GDPR compliance quickly sprung up around the regulation, for many companies, making use of one defeats the intended purpose of the framework. “There’s a perception within some businesses that these products are a silver bullet, but if you truly want to meet the intention behind the legislation, it has to be privacy by design,” says Starkie. “That can’t be achieved with the retrospective implementation of a tool.” Besides, Baines says that many of these were providing poor advice. Fundamental misunderstandings about what the law was intended to do – the confusion around digital marketing for example – led to some poor and incredibly costly mistakes, such as some companies dispensing with their entire marketing databases.

Data as an asset
If GDPR was about reining in the astronomical power wielded by Big Tech, it has been remarkably unsuccessful. A fair chunk of all fines have hit technology companies, with Amazon and Instagram paying the highest so far at $740m and $402m respectively, but they have barely made even a ripple in the ocean of enormous profits these companies report every year: in 2021 Amazon made approximately $33.4bn; Instagram parent company Meta took home around $39.3bn. While GDPR has undoubtedly improved the privacy rights of millions, these data farmers are still stockpiling vast reams of incredibly personal data and making billions of dollars every year out of selling it on – often at an enormous cost to society.

The difference between these companies and everyone else is that their whole business is personal data, so their privacy risk appetite is naturally much higher. “It makes a lot of sense for regulators to target the top tier – the Googles of the world which make money from not being compliant, compared to in other sectors,” he says. Mark Thompson, chief knowledge officer at the International Association of Privacy Professionals, seconds this. “Organisations are striving to work out what is the right level of personal data to minimise their liability but maximise their asset value,” he says.

Forever playing catch-up
Besides, law and regulation will always be playing catch-up to industry, particularly when it’s one as fast-moving as technology, says Jenna Franklin, co-chair of the data protection finance group at law firm Bird & Bird in London. And the EU’s fight on data privacy and governance continues: still in the pipeline are the Data Governance Act, the Data Act, the Digital Markets Act, Digital Services Act, the Artificial Intelligence Act, the Digital Operational Resilience Act, and the second Network and Information Security Directive.

“There’s always a tension, particularly with data protection rules, where regulators don’t want to stifle innovation – but they have to weigh that with the impact on the individual and how we protect their rights,” says Franklin. The COVID-19 pandemic and the remote working revolution it prompted certainly made things more difficult. While the GDPR requires data controllers to report breaches within 72 hours of becoming aware of them, a 2020 IBM study found that the global average time to identify and contain was an enormous 280 days. EU countries tended to perform better than others, but not by much.

Unfulfilled potential
Despite the eye-catching headlines around the GDPR’s potential for record-breaking fines, the penalties themselves have not come close to fulfilling their true potential. While information regulators technically have the power to hit companies with a fine of up to four percent of annual global turnover, the majority have not come close to that. Not all penalties are publicised by data protection authorities, but most have been under six figures, which for most companies is a mere drop in the ocean of the billions of dollars in profits each year.

We still have clients coming to us and saying ‘we’ve not done anything for GDPR – please help us’

“There was so much hype built up around the potential for fines that I don’t think it was ever going to match the reality – there was a lot of fear mongering around this four percent figure,” says Starkie. Clearwater says that beyond the big technology companies whose very business is personal data, it’s difficult to identify trends in enforcement, with fines hitting consumer goods, finance transportation, retail and hospitality all fairly evenly.

But Franklin says the conversation around fines served an important purpose at the start of implementation when it came to raising awareness among senior management. “When we were building our initial business case, the prospect of big fines was a helpful stick to encourage the board to take the rules seriously,” she says. “It made it clear that data protection is a financial risk, and generally across the board, resulted in really good compliance programmes.”

The pandemic had an impact here, with many regulators sympathetic to the major changes in business practices and the strain this put on internal systems and technology. But while working from home is here to stay for many, those days of understanding may well be over. After a slow start, regulators have recently stepped things up a gear. Fines increased by 92 percent, and the average total is rapidly climbing from five-figure totals in the earlier stages.

“The scariest part for businesses is still the risk of fines, in part because the financial damage of a large fine is inseparable from the reputational damage – a large fine will always get a large amount of coverage in the press,” says Baines. “It’s true that those future-defining fines just haven’t materialised yet though. I think that comes down to the way UK regulators do things.”

The UK is culturally different from the US in this respect, he explains, with regulators generally preferring to work with businesses. It’s also down to a GDPR stipulation that fines must be proportionate. “I think the conclusion is that only in very rare circumstances would it be proportionate for a data protection breach to effectively end a business,” he adds.

It’s who you know
Another fundamental shift has been in the management of vendor relationships. Clearwater says that who companies work with has become a much more important measure than it was in the past, here drawing a parallel between the GDPR and companies’ sustainability efforts when it comes to managing relationships with third parties. “The material way of moving forward with your sustainability commitments is going to be either choosing the vendors that are on the journey with you, or moving to those that are,” says Clearwater. “In the same sense, not knowing how to answer a question on GDPR makes a company significantly less desirable to work with, which can have a big impact on business.”

Starkie, who regularly advises on the data protection elements of joint ventures, mergers and acquisitions, seconds this. “In a number of cases we’ve come across where there has been a [data protection] breach, while it hasn’t necessarily killed the deal, it’s definitely delayed it,” he says. “There are a lot more considerations that now need to be taken into account: what individuals are impacted? Which privacy jurisdictions do they fall under? What is the potential for fines? In that sense, privacy has become just like all other risks businesses must consider.”

As a general rule, compliance has been harder for long-running businesses with legacy systems that were used to handle personal data pre-GDPR, says Bird & Bird’s Franklin. Within financial services, for example, it’s in many ways easier for a fintech company or challenger bank with new systems and customers that have only been on the books for five or so years to integrate the concept of privacy by design than it may be for a traditional bank with decades-worth of customer data to grapple with.

“Newer companies tend to have the technology advancement and without the headache of legacy systems,” she says. “In that sense I would imagine regulators might come down harder on a fintech for noncompliance – it’s easier to meet the requirements of GDPR as a start-up or scale-up than it is a traditional institution.”

A delicate balance
As with most regulation, the typical business isn’t looking for 100 percent compliance, says Kroll’s Starkie. Most are looking for “a degree of compliance that demonstrates the intention to do the right thing,” he explains. “No one wants to be vulnerable to being picked off from the back of the pack, but there are no major returns for being right at the front either – there’s a real herd mentality at play,” he explains. “We still have clients coming to us and saying ‘we’ve not done anything for GDPR – please help us.’ I would say there was definitely a perception that the whole pack would be much further ahead than it is by now.”

GDPR has really popularised the sense of control, and its broad applicability is what makes it so impactful – it’s created a common language

The conviction with which this view is held varies between types of businesses, of course. “There are some industries or organisations where their entire strategy is based upon having a strong reputation – industries where individuals can quickly change between products and services for instance,” adds Starkie. “The risk of a data breach is very real for them. But for others, I would be interested to see the data on how many individuals have exercised many of their rights under the GDPR. I think it would be quite small.”

Either way, study after study has shown that privacy is important to consumers. A 2016 survey by KPMG revealed that more than half of respondents had decided against buying a product or service online due to privacy concerns. Three-quarters said they were uneasy with the idea of their online shopping data being sold on to third parties, with social media, gaming and entertainment companies singled out as those being most intrusive with personal information.

The long arm of European regulation
Another potential barometer of success is just how many other governments have followed suit in the years since GDPR implementation. Similar laws now exist in dozens of countries including Bahrain, Indonesia, Israel, Japan, Kenya, New Zealand, Nigeria, Turkey and South Korea – along with others. Arguably the highest profile is the state of California’s Consumer Privacy Act (CCPA).

And while the CCPA was initially perceived to be much weaker than the GDPR, its first settlement landed in early September, with cosmetics company Sephora fined $1.2m for failing to inform customers that it was selling their data on.

Baines says that the European Commission’s two goals were protecting individuals’ rights and facilitating business. “That second piece is often overlooked though,” he says. “The homogenisation of data protection frameworks actually makes business easier and has had a significant effect on the way tech companies are run. They are a bit like tankers: they take a while to move. Nearly five years on from GDPR sounds extraordinary, but we’re only really now seeing its effect extending across the globe.”

One country where the GDPR’s future may be uncertain, however, is the UK. While the UK is not obliged to retain the rules on its statute books since leaving the EU, it has thus far. But that was cast into doubt in early October at the Conservative Party conference when newly appointed culture secretary Michelle Donelan said the rules were “limiting the potential of our businesses.” Privacy experts were quick to point out that the global nature of the internet means it is not as simple as abolishing the GDPR. Most have taken this with a pinch of salt, arguing that it is more a political statement than anything else.

Power to the people
Complacency may remain rife among certain businesses today, but that could be a future-defining business risk for some because as Baines argues, the true potential of GDPR simply has not been realised yet. “Businesses are conscious of the costs of compliance, and this will depend on the type of business. But those that have experienced aggrieved employees or customers making requests for their data are certainly mindful of how costly it can be,” he says. “Say you have a large customer base and a big chunk of them becomes aggrieved, maybe because there’s been publicity around a data breach or some sort of consumer rights-style campaign. The sheer cost of dealing with that would be a real business risk, before you’ve even got to a regulatory issue.”

A common criticism of regulation is that they only solve past causes of crises and will not prevent future ones

There was a hint of this over 10 years ago when Austrian law student Max Schrems picked a fight with Facebook over its handling of personal data. He pointed out that the social media giant was unlawfully transferring personal data between Europe and the US, and his work forced the European Commission to twice change its rules on transatlantic data transfers. Another Max Schrems could be highly effective.

There is also the potential for class action lawsuits, in which large groups of affected individuals can bring a collective case. One such case was brought against Google with a $5.5m settlement approved by a US district judge in February 2017, and momentum appeared to be building around that time, says Baines. The decision was ultimately struck down and the market went quiet, but it could change, he adds.

“If that had been successful we’d have seen a hell of a lot more litigation, but it went completely cold – these cases haven’t been as successful as some hoped or expected, but the litigation market is nothing if not ambitious,” says Baines. And these remain frontier times for the online world, with today’s generation mere guinea pigs. As big technology companies become ever more intrusive, most people are more focused than ever on their rights. The rules are in place – it is time individuals made the most of them.