On May 25, 2018, my teammates and I at AppDynamics, and parent-company Cisco, marked the effective date of the General Data Protection Regulation (GDPR) with cautious optimism for the future of privacy. Now, one year later, we look back and reflect on GDPR as a positive force for consumers and the businesses that serve them.
What is GDPR and why does it matter?
GDPR is the groundbreaking privacy framework designed to reinforce core data protection principles in the European Union (EU), empowering individual consumers to control their personal information while expanding their privacy and legal protections. It has thrust privacy into the global political and business conversation, demonstrating its broad cultural significance. Regulators in the EU can enforce the GDPR by fining businesses for non-compliance, with possible maximum penalties set at the greater of 4% of global revenue or €20M, or by requiring non-compliant businesses to take steps to become compliant.
In 2017, The Economist reported that personal data had outpaced oil as the most valuable resource in the world. Given this context, GDPR is the most comprehensive attempt at regulating and policing how we use the world’s new “most valuable resource.” In the year since it took effect, GDPR has been a powerful catalyst for privacy protection as it places special focus on how businesses collect, store, process, secure, share and dispose of the personal data of their customers and employees.
What we’ve learned
One year later, we can be certain of three things: (1) Non-compliant international businesses have not been besieged with sizeable fines that could potentially shutter operations, with the notable exception of a hefty fine for Google. In fact, regulatory action has been mostly measured and closely focused on the audience-based advertising methods within media and advertising-technology spaces; (2) GDPR has improved business results in unexpected ways, and (3) GDPR has sparked an important global conversation about the value of people and their personal information via the data that identify them.
Proportionate and measured enforcement…so far
To date, GDPR enforcement has been much less draconian than was suggested by major media outlets in the run-up to compliance. Instead, the emerging consensus demonstrates that GDPR enforcement has often been a constructive and reasoned process. The Knuddels password management case underscores this measured regulatory approach. Knuddels, a German social media company, exposed user personal data by storing passwords in plain text. The German regulator fined Knuddels €20,000 for its failure to apply appropriate security controls to user passwords — a clear requirement of GDPR. The regulator made note of Knuddels’ swift response and cooperative approach in implementing remediations. The fine, of course, could have been much greater for Knuddels. However, as stated in the regulatory press release, “those who learn from harm and act transparently to improve data protection can emerge stronger … it does not depend on the LfDI [the German regulator] to enter a competition for the highest possible fines. In the end, it’s about improving privacy and data security for the users.”
Regulators appear to be standing behind these public declarations aimed at improving data protection and privacy practices, and not at the expense of costly business killing fines. However, businesses must continue to push forward with compliance efforts as regulators may choose to increase enforcement intensity over the next several years.
Generating better business outcomes through Data Lifecycle Management
GDPR has spurred businesses around the world to actively engage with and document their “Data Management Lifecycles,” the process of managing business information throughout its lifecycle, from requirements through retirement. One of the more significant byproducts of GDPR and a prevalent topic amongst legal-product-tech circles in Silicon Valley and beyond is this emergence of privacy as an end-to-end process in the IT and tech stack. The prospect of unprecedented fines driven by GDPR non-compliance has forced businesses to rethink the process of end-to-end data lifecycles. This GDPR-mandated deep thinking has driven improvements in the flow of personal data.
And based on global survey data from the Cisco 2019 Data Privacy Benchmark study, select data privacy leaders worldwide identified top business benefits realized through privacy investments including better agility and innovation, operational efficiencies, competitive advantage, and fewer, less costly, data breaches. As one CEO put it, “Good privacy and being compliant can vastly reduce the risk of a data breach.”
Igniting an important global conversation
Personal data flows through the Internet, the underlying network supporting it, the devices connected to it, and the apps running on those devices. As a key provider of this critical infrastructure, Cisco, the largest cybersecurity vendor in the world, has publicly addressed the inherent value of personal data by declaring the right to privacy is a fundamental human right. And in doing so, has issued a call for implementing comprehensive and harmonized privacy legislation. Inspired by GDPR, the state of California has taken a significant step in advancing privacy protection with the passage of the California Consumer Privacy Act (CCPA), often called the United States’ first GDPR, and scheduled to go into effect on January 1, 2020.
At AppDynamics, we continue to monitor the GDPR and the CCPA and are committed to elevating the importance of privacy while contributing to the global conversation. The world demands that data networks be built from the ground up to meet users’ data privacy expectations. To build trust and to be trustworthy, we protect customer data and embed security in our products and privacy and data protection programs. You can learn more about how we think of trust, security and data privacy at AppDynamics and how we ensure our program is aligned to Cisco’s data protection and privacy program by visiting our AppDynamics Trust Center.