Roughly a year ago, the EU implemented the most comprehensive data privacy law the world had seen. Today, as we take stock of how much things have changed, the answer is both “not much” and “quite a lot.”

Let me explain. When it comes to data protection, we’re seeing two different developments. The first is within the EU itself; and the second is with other governments. Within the EU, relatively speaking, the implementation of GDPR is still in its infancy. As an EU law, it does not have a central enforcement body. Rather, each member country implements the law in its own way and enforces it according to its implementation.

Thus far, we’re only just beginning to see some results. Enforcement bodies are being set up, and complaints are being generated. While most companies have implemented a GDPR compliance policy, they have also adopted a wait-and-see approach. Their eventual policies will depend on the specific geographies where they operate, the kinds of personal data they handle, and what they do with it.

Investigations are ongoing, complaints are coming in, and we are slowly starting to see fines and enforcement. We are also seeing more guidance come out of supervisory authorities in various countries. One year in, it remains the early days. More time is needed to get clarity on the impact of GDPR. But one thing is certain—we are all much more aware of data collection and use practices.

The EU, however, is not the only game in town. Other individual countries have adopted their own regulations. Singapore has the Personal Data Protection Act. Brazil has the General Data Protection Law. And so on. Again, how those laws will be implemented and enforced remains to be seen.

California’s Sweeping Revamp

The most potentially challenging development, however, comes not from a country but from a U.S. state. The California Consumer Privacy Act (CCPA) is one of the potentially most sweeping revamps of data laws. Given that California is the fifth largest economy in the world by itself, larger than the U.K. and France, this is a big deal.

Without going into too much detail, the law does two things:

  • Broadens the definition of personal data.
  • Creates litigation risk for any large business that collects or uses that data.

The challenge for companies lies both in compliance and the risks of the law—and the fact that it will likely be amended before implementation in 2020.

While these developments do not exactly accomplish the goal of protecting consumer’s data, providing free services, and allowing business to flourish and grow, everyone agrees that inappropriate use of data is an ongoing problem—and that data can be used not only for good but also for evil. This means we must be more vigilant and aware of:

  • What data we have
  • How we use it
  • How we protect it

Consumers are becoming more and more savvy to what companies are collecting and what they are doing with it—and they are uncomfortable with some of the practices.

The opportunity for companies, of course, is to use their expertise to educate the world, consumers, and companies alike, on:

  • How data is collected, stored, and used
  • What is appropriate use
  • What the benefits are to consumers

They should also lead by example in clean and acceptable uses of data. They have a duty to be transparent with end users and consumers and a responsibility to ensure they are using data in a manner that is not only legally permitted, but also ethically appropriate.

Demystifying Data

Everyone in the industry has a stake in demystifying data and educating the public on what it really is, how we use it, and how we can protect it for the benefit of all. The more people understand, the more likely it is that governments will provide effective legislation. One good place to start would be to explain that privacy policies should not be blindly accepted, but read and understood. People need to know what exactly they are agreeing to—and how to opt out, if they choose.

When all is said and done, last year looks a lot like this year. The fruits of our labor from GDPR are slowly being realized:

  • Companies are examining their practices and exploring the limits of compliance.
  • Consumers remain uneasy as to how their data is being used.

Get Prepared Now

At the same time, new laws are being proposed—and even getting passed in some cases—and preparing for them is an imperative for many businesses. To ensure we get the next phase right, data providers and consumers will need to ramp up their efforts to shape the future, because without good regulation we could end up with costly litigation, a loss of innovation, and a further erosion of consumer trust. Stay tuned.

  • Rachel Glasser

    Rachel Glasser is Global Chief Privacy Officer of Wunderman Thompson. Rachel is responsible for compliance design, audit roadmaps, and data privacy regulation (GDPR and its impact on business) at the creative, data, and technology agency.