Who Puts Dampers on Data Protection?

74.4 percent of respondents to a non-representative survey by the European Center for Digital Rights claim that a data protection authority would currently find at least one violation of the General Data Protection Regulation (GPDR) at an average company. The non-profit data protection watchdog polled around 1,000 professionals in said field working internally or externally for companies in the European Union. When it comes to who is responsible for not enforcing a stricter data protection compliance policy, one actor comes up far more frequently than others.

According to the survey, 47 percent of people in charge of or connected to upholding privacy standards experienced at least some pressure from sales and marketing departments to not fully enforce GDPR rules. This comes as no surprise since the collection and usage of customer data for internal and external purposes is central to Customer Relationship Management, social, e-mail or chatbot marketing and e-commerce ventures. Management also ranks high on the list, with the C-suite and top-level management in the second (32 percent) and lower level management in the third spot (29 percent). The legal and data protection departments allegedly put the least pressure on internal and external data protection professionals.

The GPDR, implemented in May 2018, is one of the most recent measures undertaken by European lawmakers to curb the influence of giant internet companies like Alphabet, Amazon or Meta and to ensure user data generated in the European Union is protected under strict laws. Further regulations protecting user interests that came into effect since the inception of the GDPR are the Digital Markets Act, which prevents corporations from becoming gatekeepers and hindering competition, and the Digital Services Act, which aims to enforce stricter and more unified content moderation policies as well as increased transparency efforts by so-called "very large online platforms."

While the instruments are there in theory and billion-euro fines against companies like Meta as well as alleged privacy violations by tech upstarts like OpenAI have made the headlines, the reality is far less impressive and correct implementation is spotty more often than not. "Management wants to use the data to make money and only wants to have to do the bare minimum to comply with the laws and regulations. Marketing departments and IT just want to do their thing and bypass privacy advice as much as possible", as one data protection officer in the Netherlands is cited in the survey results. "Even after providing training for five years, people still do not know how the law works as it is a complicated piece of legislation. Basically, it feels like fighting a tidal wave and losing."