The General Data Protection Regulation is here to stay. Enforcement officially began on May 25 and while it has created hassles and even havoc for companies scrambling to comply, it also brings some benefits for “data subjects” – that’s you, if any organization collects, processes or stores personal information about you – even those who don’t live in Europe.
Many companies will, in fact, play it safe and apply the stricter privacy standards to everyone’s data, since that’s often easier than figuring out to whom the law applies and having separate processes for those residing in the EU. That means the companies with which you do business (paid or not) will have to be more transparent about what personal data they’re collecting and how they’re using it, give you the right to review it and correct it if it’s inaccurate or incomplete (or in some cases require it be removed entirely), and “forced consent” will no longer be allowed.
These changes are all good for consumers, but as with many new laws, they represent only the tip of the iceberg. As the story unfolds, we may find that the regulation can result in additional changes that won’t be quite as welcome – even to those who are its intended beneficiaries.
Short term impacts
Some of the unexpected effects of the GDPR will be one-time or short-lived impacts, so we’ll look at those first.
Many of us have already seen one of the immediate less-positive impacts of the GDPR: our email inboxes have been deluged with notifications from organizations with which we do business, informing us of their new privacy policies (which of course were established in order to comply with the GDPR). It’s annoying, but not something that we haven’t already grown accustomed to getting from certain businesses in regulated industries such as health care and financial services. It’s just that now we’re getting more of them, from more different types of organizations.
One of the GDPR’s rules is that you must know, understand, and be given a choice about giving your consent to the collection of personal data. Even though organizations might have already obtained your consent in the past, that consent may not meet the standards laid out in the GDPR’s Article 7, Conditions for Consent. Thus, many companies will be asking for your consent all over again to make sure it meets those conditions.
Long term impacts
Short term hassles are something that most of us can easily live with, although we might grumble a bit. It’s some of the longer term and more severe impacts that might be worrisome.
EU IPs, stay out
It’s conceivable that some websites may decide the added expense, work and worry over compliance isn’t worth it, and solve the problem by simply blocking network traffic from/to IP addresses that originate in the European Union. Some are even calling this “the lazy way” to comply with the GDPR, and others have labeled it an ““extremist approach,” but it appears some orgs are considering or implementing this solution. For companies that aren’t targeting the European market, it can save them a lot of money, especially considering that the average cost of GDPR compliance was estimated by some sources to be $1 million or more for large companies.
But what does this mean to web users? It means EU residents may no longer be able to access some sites at all, and it may also affect those who are only temporarily in the EU for business or vacation, or even people who have never set foot on European soil but use an EU-based proxy server.
A boon for ransomware distributors?
It’s always disturbing when new laws end up unintentionally benefitting criminals – although it happens more often than we would like to think. One cybersecurity chief exec has speculated that the GDPR could make it more likely that some companies would pay the ransoms demanded by this particular type of malicious software in order to avoid the hefty GDPR fines that would come with revealing the breach. This, in turn, could cause the ransomware attackers to increase the amounts for which they hold organizations’ data hostage.
Of course, the law also requires companies to report such breaches, so those that paid the ransom and kept quiet would be in violation of the law (and subject to even greater penalties). However, it’s not hard to believe that some orgs, faced with the choice of paying a $100,000 ransom demand vs the possibility of fines in the millions, might try to get away with it.
No more mom and pop shop
Small companies are already being edged out of business in many ways. As large companies merge and grow bigger and bigger, they use economies of scale to offer prices with which smaller companies can’t compete. The rate of startup businesses in the U.S. has been declining. There are many factors involved, but the cost of excessive government regulation is often cited as an important element.
Whereas large enterprises can afford expensive compliance solutions – hiring consultants and/or onboard compliance management personnel, implementing new software and hardware security measures, legal fees, additional training of employees, etc. – many small businesses operate on very tight budgets.
Although businesses with fewer than 250 employees that only occasionally process the personal data of EU residents are exempt from some of the GDPR requirements with which larger organizations have to comply, they are not exempt from the regulation itself. If it is determined that the processing of such data “is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data… or personal data relating to criminal convictions and offences referred to in Article 10,” then the small business must provide the same level of detailed record keeping as larger companies.
Small companies that can’t afford compliance may be edged out by huge conglomerates, resulting in less competition in a particular market and fewer choices for consumers.
We’ll all pay the price
Some consumers might see the cost of GDPR compliance as simply a “business problem” but in fact, when the cost of doing business goes up, companies have to either increase their revenues or cut their other costs. That means prices they charge for their services may go up. Currently free sites may start charging for access and services. Or the level and quality of service may be cut back. Employees may be laid off. The ripple effect can impact many people, both directly and indirectly.
Only time will tell how this all shakes out, but it’s a good bet that the GDPR will have some far-reaching implications that its authors and the legislators who enacted it into law didn’t anticipate and for which companies in the EU and elsewhere, in their compliance strategies, didn’t plan.
Flexibility is always the key to dealing with any kind of unexpected events, so it will be important for IT professionals, organization decision-makers, and individual consumers to be ready to adapt to whatever a future “GDPR world” may bring.