One Year of GDPR from the Perspective of a Privacy Tech Startup

28. May 2019

OnMay 25 2018, the EU’s General Data Protection Regulation (GDPR) went into effect. Even though data privacy laws have existed previously, GDPR was the first of its kind, mainly due to its key principles for the collection of personal information. These core principles are the requirement for explicit and informed consent by the data subject, the right for information and the right to be forgotten. Another novelty introduced by GDPR is the risk of hefty fines of up to 4% of global annual revenues for companies that don’t follow the rules.

Since the beginning of GDPR, data privacy has increasingly been at the center of attention for both the general public and companies worldwide. From the developments within the last year, three main trends for the future of data privacy can be derived.

1. GDPR is the Global Standard for New Privacy Laws


Shortly after the introduction of GDPR, it was noted that — as the rules apply to foreign companies as well — Europe has, de facto, developed a new global data privacy standard. Several countries like Brazil, India and South Korea have already been following Europe’s lead adopting GDPR’s key principles. Meanwhile, China is enforcing its Cybersecurity Law (CSL), which makes data processing more difficult, especially for international companies. And in the United States, even Facebook CEO Mark Zuckerberg recently called for an adoption of Europe’s privacy regulations.

“I believe it would be good for the Internet if more countries adopted regulation such as GDPR as a common framework. New privacy regulation in the United States and around the world should build on the protections GDPR provides.”
– Mark Zuckerberg, Founder & CEO, Facebook

In fact, several US states have already passed new privacy laws, with California being the first. In June 2018, California State Legislature passed the California Consumer Privacy Act (CCPA), a regulation based on similar concepts as the GDPR. And US policy makers keep pushing towards enhanced privacy protection. Two weeks ago, the city of San Francisco passed a ban on facial recognition technology.

“I think part of San Francisco being the real and perceived headquarters for all things tech also comes with a responsibility for its local legislators.”
– Aaron Peskin, San Francisco City Supervisor


2. Privacy Protection Moves Beyond Regulation

The decision by the city of San Francisco and the statement from Mr. Peskin highlight that data privacy is fundamentally a matter of social responsibility. Profit-oriented companies also understand this implication. Microsoft President Brad Smith published a statement regarding the matter in December 2018.

“While we believe that new laws and regulations are indispensable, we also recognize that they are not a substitute for the responsibility that needs to be exercised by tech companies.”
– Brad Smith, President & Chief Legal Officer, Microsoft

It is evident that companies do not only have to follow the rules in order to avoid fines, but also need to view privacy protection as a responsibility to their customers and to the general public.

As consumers value privacy protection, good practices work as a key differentiator in the market, which ultimately results in a gain in economic value. According to a study by Harvard Business Review, 78% of respondents say that strong data privacy protection enhances reputation significantly and helps to differentiate a company’s brand.

“Individuals can have more trust in the companies that process their data transparently, and that is a competitive advantage.”
– Cristina Cabella, Chief Privacy Officer, IBM

3. New Business Models Require Privacy by Design


Most new business models heavily rely on the collection and processing of data. This is particularly true for all use cases that involve analytics and artificial intelligence. Common examples are the development of autonomous vehicles and smart retail concepts. While these cases have great potential to positively contribute to the customer experience, quality of life and ultimately economic prosperity, they also pose threats towards data privacy. Clearly, it is not an option to stop the technological progress. Nevertheless, it is important to follow legal and ethical guidelines, especially in data-driven use cases. One of the key principles here is privacy by design and by default. For example, GDPR suggests using technical measures, such as pseudonymization, in order to fulfill its core principles.

“The controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation.”
– GDPR, Article 25

All new data-driven business models will require a thorough approach towards realizing privacy by design. Simply looking out for loopholes or grey zones in existing regulations will not be enough — not due to the risk of hefty fines, but due to consumers’ demands to have their identities protected.

Thomas Strottner
Head of Business Development