GDPR - the Initial Shock
As with many EU regulations, when considering the initial effects of GDPR on the business environment, it would be safe to say that practice and theory are far removed. This is to say that the noble intentions which lie at the heart of adopting comprehensive standards for data protection run the risk of stirring up quite a bureaucratic mess for most companies, without adding much in the way of actual improvements to people's lives.
In theory, GDPR is here to help European citizens get control over their personal information and the way it is currently being processed, whereas the set of rights pertaining to personal data is part and parcel of EU citizenship itself. Moreover, companies are responsible for the ways in which they gather, use and store all of our personal information, whether it be sensitive or otherwise.
However, the truth is that GDPR is a complex set of rules, which can overwhelm multiple areas of any business' activity. There's always a risk that exhaustive measures haven't been taken – let alone thought of, as might be the case with larger companies, which process data in several different ways, potentially leaving some of these unaccounted for, while the fines and penalties for failing to do so are anything but affordable.
Fearing the worst leads many to look for ways to comply on the surface, instead of actually doing something about the safety of our data. Most companies are now spamming their customers frantically for consent, in spite of recital 47 and article 6; both deal with the issue of legitimate interest, including the much disputed issue of direct marketing, within the wider context of any business, especially those with an appropriate, ongoing relationship with their customers. In turn, the people at the other end of this unsolicited correspondence tend to become fearful and hyper-vigilant about their data, even when this is clearly uncalled for.
What is more, bureaucracy of the type that has been, until recently, limited to under-performing public institutions has quickly become the norm for private companies seeking to generously comply. Confidentiality agreements and cookies have taken over each and every website in sight, while internal documents about data protection are flooding workplaces all over the continent and beyond.
But when it comes down to it, few people ever get the chance to actually benefit from the rights conferred to them by GDPR. Most agree to the terms without reading them or fear that their information has been stolen and used for some unknown, nefarious purpose. Meanwhile, companies are still processing data in much the same way they always have, with one notable difference: now they're also buried in paperwork, which makes them less efficient or productive.
While having a set of universally applied standards for data protection is a laudable endeavor, the first effects of GDPR have already generated a wave of frustration from businesses and customers alike. At this point, we can only hope that this initial shock will soon wear off and that all of this will lead to more meaningful changes down the road.