The European Union’s General Data Protection Regulation (GDPR) went into effect in late May, an event that privacy and information security professionals had been preparing for months, even years. For most technology users around the world however, the internet cookie banner renaissance on May 25 was the first tangible effect of this new regulation.
Speaking as the Director of Symantec’s GDPR Strategy, it’s been a busy month. Now that the law is enforceable, we’ve seen many impacts, some good, others less so.
Never before have the pervasiveness of technology, the omnipresence of personal data and the far-reaching privacy implications of digital modernity been exposed so plainly. The initial concern and irritation are understandable, but also temporary. The empowerment that the GDPR has brought is also starting to sink in, as both users and businesses realize they now have the ability to act.
Symantec's New Privacy GDPR Portal
Our GDPR Portal has quickly become a popular resource. Website visitors, individual consumers, enterprise customers and business partners alike, have sent feedback that they regularly use our portal, which has also become a powerful enabler for our own product and sales teams. The chart below speaks to the interest that the Portal has generated in the three weeks from its launch on May 11 to June 3.
We’ve repeatedly heard that our product transparency notices, including these Norton Product and Service Privacy notices, are precisely what customers need. We’ve been able to further increase trust with our customers by describing the categories of data collected, and the purposes for which those data categories are processed. Our Global Privacy Statement and Customer Data Processing Addendum, which more thoroughly lays out our commitment to safeguard any personal data that we process, have also been in high demand.
People Actually Read Privacy Statements and Notifications
Contrary to common belief, we’ve found that a lot of people do read privacy notifications. Many click through, and quite a few even take action. Since GDPR-related communications and updates were rolled out, our Global Privacy Office and various customer support helpdesks have seen a clear increase in engagement from people exercising their privacy rights.
Increased Data Protection Creates New Challenges
Unanticipated requests have challenged our scripts, playbooks, or readily available resources.
While many of the requests we’ve received from customers and users have been straightforward thanks to careful planning and scripting, we’ve received a number of unanticipated inquiries. Former customers have gotten in touch to see if any data remains from years ago, people who were never customers have checked to see if we have any data about them, non-European users are testing whether they too could benefit from transparency and privacy rights made in GDPR, and requests in rare languages have required involving a translator on an ad hoc basis.
Planning for such contingencies was a big part of our GDPR preparation and the next weeks and months will be spent gauging what the new business as usual looks like; firming up the plans in place; addressing novel or emerging trends; learning as we go what works and needs improvement; automating data services where possible; in short: maturing our GDPR compliance program.
Increased Transparency Invites More Scrutiny, More Suspicion
GDPR-based litigation has started. Facebook and Google are facing lawsuits, and potentially billions of dollars in fines, for alleged GDPR violations. Meanwhile certain crowdsourcing initiatives are preparing for future privacy class actions, generating additional suspicion. Maintaining the credibility and trustworthiness of data management practices has become a full-time job indeed.
New Wave of ‘GDPR-Right Trolls’
These trolls might include unscrupulous individuals and organizations submitting unfounded data access requests and threatening complaints and lawsuits, malicious actors using bots to flood privacy request intake portals and mailboxes with harmful spam, or cyber criminals trying to sneak targeted cyber attacks into the web traffic flowing to newly opened communications channels. The GDPR itself has made provisions to lawfully resist all of these, however companies must be adequately prepared to secure and defend against these new threats.
Business is Being Forced to Change
And of course, the GDPR significantly altered the balance between privacy protections and business objectives. With customers exercising their right to be forgotten and opting out of communications, businesses lose opportunities to cross-sell or market additional goods or services.
The GDPR also holds engineering departments to more demanding ‘privacy by design’ and ‘privacy by default’ requirements than before, reducing the latitude of businesses to track, target and approach users with promotional messaging. Brands will now need to spend more time and effort to decide where to publish content to best reach their target audiences.
If you found this information useful, you may also enjoy:
We encourage you to share your thoughts on your favorite social platform.