It's forced us to think more carefully how we build systems to pick up, retain and scrub data. So all clients (>1,000) and their clients (likely in the millions) have benefited
They absolutely won't have noticed a difference - by design!
Unbeknownst to downstream users, there are now more rigorous systems in place to manage this information and reduce the surface area where it might be captured
Many of these companies didn't have consent to have the data to begin with or at least no way to show that they collected it.
A good example is Wetherspoons Pub chain dropping their email database they used to spam people with. I've noticed I'm not caught in any more breaches according to Troy Hunt whilst before I was getting my email breached once a year by some company. According to Troy Hunt's breach DB, over a dozen companies with my credentials have been breached forcing me to never use those email/password combinations again.
But the real benefit is this:
Some random online store that i bought something from once decided to send me a spam sms around black friday.
One email and 24 hours later, all the data they had about me was deleted.
Of course, this only works if you're in europe buying from an european store so they're subject to fines from some trigger happy privacy authority.
Assholes like Google still do not ask for consent. Guessing someone at the EU is working on gathering a mountain of documentation so they can fine them that famous 4%.
Personally, I barely receive any out of the blue marketing calls or texts anymore. If someone dubious market’s me via phone or email, I know my rights and I can follow how they acquired my data and who sold them my personal details.
As a software developer/entrepreneur, it made me think more about personal data and has affected my architectural decisions.
I still hope we'll be able at some point to come up with a more refined protocol than http (or better sandboxing of the browser/device), where you could selectively reject loading JS resources and where resources would need to explicitly say what they were gathering, where pixel tracking would need to be announced (and only after your consent would those resources run/load). Totally ok with the site not loading either if you didn't gave the permissions. Probably never going to happen, but that would be a true handshake, "I want to check this out", RE: "Sure, we want your location, track your navigation across the website and we'll sell this as part of a dataset, including your IP, so that someone else then can buy several different datasets and create a proper picture of your activity", "Sorry, thanks, not interested". (and yes, it would need to be written in a way that's understandable, not 5 pages of crap). The same applied to mobile phones/computers/apps.
Or better yet, a browser/device API, where you (the developer) would need to declare all resources you wanted to access (DEVICE_IP_ADDRESS, DEVICE_LOCATION, MOUSE_POSITION etc) this would compile all of them into legible manifest that you could read before it being un-sandboxed and allowed to run. Any attempt to read such information from the browser/device where one of those permissions weren't granted would return null (might be the best argument for the existence of null).
A lot of sites throw up a modal that just disappears when you say no. And I've verified that in most instances this completely kills all telemetry.
I was involved working at a SaaS that provided first party personalisation at the time GDPR was introduced and heard a lot of stories about clients just dropping pointless and long term data.
I have family in the school system that called panicking that this was a disaster... then a few months later admitted it meant that they actual handle their data well and no longer accidently leak personal info (financial, medical, behaviour, attainment) to other families, kids, teachers, or third party companies. Oh, and their emergency fire list is now kept up to date.
I've used the powers of the GDPR to eliminate some low level harrassment of my grandfather.
Google, Facebook, and the Yahoo auth group are still diddling with data they shouldn't, but on the whole it is a much much better world.
You also know you can get all the information a company has on you, and get them to delete it if you need to. I haven't made use of it yet, but I've read of people who have.
From inside the business side, I see most companies thinking about GDPR compliance when developing new products and features. What was never the case before and you notice now is they try to minimize PII collected to avoid headaches, and they are very careful about how data is shared with 3rd parties, asking for consent before doing it, etc.
From the perspective of selling a B2B SaaS service, GDPR has been incredibly successful at making Security & Compliance an important discussion that is had during the sales process. Most leads will have security/compliance as an agenda item during sales calls, while before GDPR this was much less common.
GDPR has effectively turned Security & Compliance into a selling point and a point of competitor differentiation (it was this way in the past too, but much more so after GDPR). I think in the long run, this has/will result in companies having a heightened awareness of security/privacy and budgeting more time and money on security, simply because GDPR has connected it more directly to the business's bottom line.
I think it's good in the long run. In practice, the result is probably a decrease in risk of data breaches (less companies have your data, and the ones that do are more aware of their responsibility to treat it properly).
It's important to note that this benefits everyone (not just people of the EU). Very few companies will go through the trouble of treating EU data differently than non-EU data. Everyone is benefitting.
I have also used it to stop unwanted postal ads from local companies. I get to find out how they obtained my info, and also stop some junk mail.
For the sibling comments mentioning the GDPR popups / cookie notices, why not add a blocklist for these to your adblocker? At this point adblockers should be considered basic security software, like a firewall or antivirus. These lists exist are are pretty comprehensive.
As an American living in Europe I think it's a great law and I wish there was something comparable to protect my friends and family stateside. And as someone who administers a fair amount of business and client data, I do not find the law inconvenient to comply with. I am very pro-privacy and protective of user data, and I didn't have to make any major adjustments.
For many of us software people, it isn't that revolutionary. These are things we should've been doing for a long time, and many of us have been doing.
But many companies are massive and bureaucratic. Everything from random giant companies to schools, hospitals, etc. These people don't really care about 'privacy', and many abused the hell out of people's privacy, many unintentionally (just careless). And since they make up big processors of data it was necessary to have them improve their practices. Now they actually think about how data is being processed rather than just chucking it around.
The GDPR's biggest impact or purpose isn't to reduce online tracking. It's to secure data rights for citizens in general. And the biggest abuses of that didn't happen due to advertising or tracking.
Personally, I feel the conversation on data in many organizations has helped me feel more secure in my privacy considerations. Although it may not be because of the GDPR, I feel I can make facebook/google/
So there's been a big change on how my data is being handled in the real world - any effect on random websites online are just a nice-to-have bonus, it's sort of moving in the right direction but it's obviously not a priority in enforement and a better treatment for that can be tweaked in a next version of GDPR, the important thing was to tackle all the big relationships (and privacy abuse potential) people have with e.g. their cell phone provider, supermarket chains, lenders, etc, which are now mostly 'clean' and the major online players such as Facebook, Google, etc which will probably require years in courts.
So I sent them a GDPR request, and they told me exactly what data they had and which data they didn't have (confirming that it was next to nothing, and thus that I didn't have to worry about the breach too much). They also confirmed which wallets are in the account (allowing me to confirm that they were empty, as expected, thus giving me no reason to fill ou the KYC).
Without GDPR, I'd be faced between the choice of giving them more data, or not being able to confirm that the wallet is empty (thus potentially losing out on cryptocurrency that I had forgotten about). In the end, I'd have probably provided the information, potentially exposing it when they will inevitably have the next breach.
Before that, Germany already had GDPR-style laws. I get very little spam, because people don't sell my address. I think there was one case where my address was passed along - I demanded to be told who passed it along, deleted, and the deletion request be passed on too, and the spam stopped. Doesn't work for completely fly-by-night companies and proper spammers, but does work for the ones who try to stay on the shady-but-not-illegal side (losing one address doesn't matter to them, and is certainly not worth the trouble of not complying with the deletion request).
I'm literally not using a spam filter.
After I contacted the chain about it, within a few days my information had been erased and they said the clerk did not act appropriately and they'd also contact the shop in question to make sure this is not repeated.
It's a long story, but when purchasing, the payment terminal asks "Member?". If you answer in the affirmative, apparently somehow one becomes a member. In this case, the clerk reached out from behind the counter and pressed the button on my behalf while I was busy putting my card away. The receipt had the text "member" with a membership number and so on.
In retrospect I suspected that the clerk's KPI contains the number of new members. Most people probably won't care enough to raise noise about it.
Before GDPR, and actually before the improved EU privacy laws in general, say, 20 years ago, fixing this would have likely involved navigating some sort of swamp of dark patterns with several phonecalls and tons of queueing, with a long lead time for the removal and so on.
In the run-up to the GDPR we saw an increase in companies that started to take security and privacy a lot more serious than before. Before the GDPR all data was viewed as an asset and more was better.
After the GDPR went live - and especially after the first fines were issued - this has substantially improved, most - but definitely not all - companies that can afford it now have their security at a reasonably high level, they've hired in-house specialists to help analyze the risks of their operation. Typically access to live databases is now far more restricted and so on.
There are some downsides as well, but that was to be expected (such as: the GDPR being used as an excuse to do things via web portals that used to be done via email, of course that same email can be used to reset the password to the portal...). Overall I'd say the improvement is vast.
The law exists but it isn't enforced by the regulator and the way the GDPR law is set up there is no way to bring private prosecutions to enforce fines and get the law applied. So since the regulator isn't doing it the law is effectively useless. Some companies are complying but the bad ones are seeing no consequences and the compliant ones are bound to notice soon that they can safely ignore it completely soon enough. It has no enforcement currently, there is no rush to ensure your company complies.
For example, I now am far more willing to consider signing up for a loyalty card, as long as they don't use my data for profiling purposes. I didn't have many cards before, but the number has grown.
Same thing applies to online shops: I am far more willing to create an account when I see that my rights are being observed, and I can eg delete my data easily.
This, of course, assumes a processor that would rather be compliant with the GDPR in its current form, rather than fight it. Facebook, for example, needs to profile, and is using an IMO ridiculous interpretation of the GDPR to weasel it out of the consent issue. Let's hope the courts do the right thing.
Had I not been protected by GDPR I would have had to submit documents to prove my identity, none of which was even required to operate the account in the first place.
They were harassing me, calling etc, and I wondered how they got my details after so long. Made requests for data they held on me, and complained to CNIL about their practices. They dropped everything and are now being investigated by CNIL on how they handle GDPR.
Without GDPR the majority of those hidden improvements would've been postponed indefinately.
I do regard spammy notifications as regressions though.
The previous law was optional to implement for member states but I lived in a member state (the Netherlands) that did (as "Wet Bescherming Persoonsgegevens") and I think most other states did as well. Any company that wants to do business in the Netherlands had to comply with that law already (just like you can't come here to do business that is illegal for any other reason).
The main features as I see them are that companies have to obtain consent or have a valid reason for processing personal data, and you have a right to view your data. That was the case and is still the case. I've done data access requests prior and post GDPR and the responses are identical.
A number of details changed, but if you complied with the previous law and you're not a personal data broker, then you have to do very little to comply with GDPR. To give an example, consent now has to be "freely" and unambiguously given, whereas before it just had to be unambiguously given, which means that an employer can't ask you for consent due to the power relation and it's popularly interpreted to also mean that you can't bundle it ("consent or don't get the service") because then it's not "freely" given.
Stage one: these cookie consent popups are empowering. I'm glad the people won.
Stage two: I am getting a bit sick of having to understand custom consent forms on every site.
Stage three: what have we done, cookie consent has made the internet suck even more!
Stage four: I wonder what all this privacy stuff is really about (goes and reads about it).
Stage five: The internet is a strip mall crossed with a red light district run by the mob - we are doomed.
Stage six: This is something the government will be bad at for quite some time, and I actually have the power to take control of my personal privacy and freedom with minimal effort (relative to say overthrowing a tyrannical government).
In each case, A had no legitimate reason to store or process my data. In particular the GDPR forbids them explicitly to exchange C's data with any third party. Doing so could lead to severe penalties.
In all three cases I only had to point out these facts once to stop the whole claim. Very comfortable.
A friend of mine has used the GDPR give-me-my-data / delete-my-data email to expose companies doing shady stuff as they’re afraid of penalties under the law.