After a Year of Implementation, Is the GDPR Working?

On May 25th, 2018, companies the world over changed forever. That was the first day of the implementation of the General Data Protection Regulation or GDPR. Although a European Union or EU creation, it’s affected companies that do business within the EU, even if they’re not based there. It’s thus become important for marketers and business owners all over the globe to pay attention to the rules of the GDPR.

That day, May 25th, has come and gone. Now, we can officially say we’ve all lived with the GDPR rules for one year. You may have changed your privacy policy on your website to stay in compliance, as have your competitors.

Still, you can’t help but wonder, has the GDPR done its job? Are the rules currently in place enough to keep companies compliant? What does the future of the GDPR even look like? If those are questions you’ve asked yourself at one time or another this past year, then keep reading. We’ll talk about all these points and more in this article.

What Is the GDPR? A Quick Recap

Before the GDPR was implemented last spring, we wrote up a great introductory article on the topic. Just in case you missed it, we’ll provide a quick recap of the GDPR now.

As we mentioned in the intro, the GDPR went into effect on May 25th, 2018. The provision first came about in April 2016 as a means of upgrading Directive 95/46/EC or the 1995 Data Protection Directive. EU data protection became the main priority of the GDPR.

To keep that data protected, EU states get their own independent supervisory authority (SA). If complaints and offenses on an administrative level roll in due to non-compliance with GDPR regulations, the SA would manage these. To promote further compliance, the GDPR also called for the creation of a European Data Protection Board (EDPB) and the use of a data controller.

As mentioned in the original article we did on the GDPR, the definition of a person’s personal data is very clear under these regulations. It’s “any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.”

What Happens if You Fail to Stay in Compliance with the GDPR?

Although the GDPR affects those in the EU, if you do business with any European companies, then you need to stay in compliance, too. Even if you have EU customers, you must follow the GDPR rules. Otherwise, you could get slammed with GDPR fines as well as other penalties.

These penalties could hurt your company, especially if you’re a small business or startup. Even mid-sized companies could probably scarcely afford to pay a fine of up to $24.49 million USD, the equivalent of 20 million Euros. Barring a fine, you’d lose your global turnover for the year if it’s four percent or below.

In our introductory article, we recommended doing the following to stay in compliance:

  • Work with an attorney to ensure you cover all legal rules, even the loopholes.
  • Find a Data Protection Officer (DPO) who can answer your questions and guide you towards compliance.
  • Ensure you do another data security system audit to maintain compliance for 2019 after your initial audit last year.
  • Only work with third-party businesses that maintain GDPR compliance.
  • Upgrade your website’s privacy policy if you haven’t already.
  • Accommodate customers who want their accounts deleted or unsubscribed. Make sure you remove all traces of their account information.
  • Upgrade opt-in form permissions for those who do want to stick around.

How Have Marketers and Business Owners Stayed in Compliance?

What about marketing companies and businesses just like yours? Have they successfully achieved and maintained compliance over the last year? To answer this question, we looked at some of the bigger marketing firms.


Over on HubSpot, they upgraded their product for better compliance with GDPR regulations. This includes improving their security controls through auditing, advanced authorization and authentication, and encryption. HubSpot portal admins can alter customer information if they ask for it, including updating or deleting this information. They also give their customers the freedom to opt out when they want to without needing to state any one reason.

HubSpot, which uses cookies, also asks for cookie tracking consent now before outright doing it. They plan to upgrade this feature with ePrivacy Regulations. Speaking of consent, HubSpot pushes for it hard with opt-in notices, opt-out confirmations, and information on what customers get when they do opt-in.

The marketing company also follows what they call a “lawful basis of processing.” This means when they use a customer’s data, they should have a legal reason for doing so.


What about email marketing platform MailChimp? They’ve altered any vendor contracts with third parties after the GDPR went into effect. Instead of single-step opt-ins, MailChimp added a two-factor authentication feature. They also switched up their privacy policy to reflect the new rules of the GDPR.

Besides all that, MailChimp made a data processing addendum. You can view that here. This addendum or data processing agreement (DPA) describes the following changes:

  • If a customer decides not to do business with MailChimp anymore, the company will remove all its data, even copies of data.
  • MailChimp has committed itself to offer up more security reports and audits to stay in compliance.
  • They changed their security, tightening it so customers don’t have to worry about their data getting into the wrong hands.


If you use Zapier, then you should know how they updated their policies and rules after the GPDR went live last May. For one, they’ve presented transparency regarding which third-party vendors they use and what they do with user data. These third parties include:

  • HelloSign
  • Typeform
  • Workable
  • BambooHR
  • ClientSuccess
  • Google
  • Slack
  • HelpScout
  • FullStory
  • Iterable
  • Stripe
  • Amazon Web Services (AWS)

Zapier also changed its privacy policy and terms of service to more closely follow GDPR regulations. They pronounced their roles as Data Processor and Data Controller, altered their data tooling, and did an audit of internal data as well.


Finally, there’s us here at EngageBay. We’ve striven to get a certification from Privacy Shield, a US, Swiss, and EU governmental agreement on the regulation of data. Our company has also changed templates, service features, internal processes and policies, notices, and agreements for better compliance. With our new privacy policy, customers have the right to unsubscribe or opt out at any time and have their data deleted when they do.

Customers might also request a data export, which EngageBay will do. This passes said data onto a third party. Recertification features, accessible through account settings, let you make changes to your account info when you need to.

Are All Companies Meeting and Complying with GDPR Guidelines?

There’s actually a whole lot more incompliant companies than you might expect.

In fact, according to a January 2019 article from TechRadar, big names like Apple, Amazon, and Google haven’t quite lived up to the rules of the GDPR. The article goes on to mention research from Talend, which reviewed 23 United Kingdom businesses. What did they find? Of those UK companies, a staggering 74 percent failed to comply with GDPR regulations. Specifically, these businesses had customers asking them if they could see their personal data, which the company didn’t provide fast enough. Under the GDPR, companies should readily send that information off in 30 days’ time.

According to a July 2018 article from Channel Partners, most companies failed to meet complacency by that month, 80 percent. That meant only about 20 percent of companies were in compliance two months after the GDPR went live.

That’s understandable, to an extent. We’d like to think the slow move to compliance wasn’t done out of malicious intent. Instead, it takes time to absorb the rules and regulations of this new policy. If your company decided to hire an attorney or other legal counsel, getting ready for compliance in two months might not have been possible. There’s also the matter of reworking major policies and services, all of which might not happen overnight.

By January of 2019, Data Post Center noted that 50 percent of companies had entered a state of compliance. That progress meant 30 percent more companies had hopped aboard the GDPR train and were treating their customers’ private data with the utmost care. Still, 50 percent is only half. About 50 percent more businesses and companies around the world still aren’t meeting compliancy. Whether that’s accidentally or on purpose, we can’t say for sure. That’s a lot of companies that still have a lot of work to do, though.

One Year in, Is the GDPR Working?

Okay, so the GDPR began a year ago. We know that, at the beginning of 2019 at least, that half the companies out there hadn’t achieved compliance yet. January was almost six months ago, though, so maybe things have changed since that Data Post Center article.

Does lack of compliancy mean the GDPR has failed? Has it succeeded in other ways? Where do we stand now?

An April 2019 article from PrivateSec Report says that matters of personnel, financing, and resourcing have led to lower compliance rates than intended. The article mentions that threats of major financial strain through penalties, of course, had the attention of companies around the world…last year. As we get further and further from that initial announcement of the GDPR, though, have companies taken these threats of penalties as seriously? No, but they should.

DPAs did start investigations into non-compliance as recently as summer 2018, although PrivateSec Report defines these investigations as “exploratory” in nature. If companies didn’t quite meet compliance that early on, DPAs weren’t eager to punish or penalize.

That doesn’t mean enforcement has been nonexistent. The article from PrivateSec Report mentions that in March 2019, a company in Poland got a fine for incompliance. What exactly happened here?

Per a writeup on the European Data Protection Board (EDPB), the fine came from the President of the Personal Data Protection Office. The company’s controller knew of its duties but didn’t provide adequate information as necessary through the GPDR. They were then fined 220,000 pounds. In USD, that’s $278,718. Ouch! That’s definitely a pretty penny.

After what some might have called a somewhat lax start then, the GDPR regulators have proven that they will take action if absolutely necessary.

Also, the EU isn’t the only part of the world with its own GDPR rules. PrivateSec Report goes on to say that Liechtenstein, Iceland, Norway, and Switzerland have all clambered to create and enforce their versions of the GDPR. The same is true in South Korea, India, and East Asia.

California and Brazil have already implemented their own respective regulations. In Brazil, the General Data Protection Law will go into effect on August 15th, 2020. California has its California Consumer Privacy Act. This begins on January 1st, 2020. Both the General Data Protection Law and the CCPA have similar regulations to the GDPR.

Greg Sterling at MarcTech Today spoke to Brave Software’s industry relations and chief policy offer Johnny Ryan on the topic of the GDPR. Ryan participated in an investigation based on Google. As you recall, we mentioned in the last section how Google is surprisingly one of those companies that have failed at GDPR compliance to this point.

Ryan says that today, we marketers have two jobs. “Marketers are now controllers, even when they do not realize that they are. This exposes them to legal hazards, and will ultimately cause them to be more careful about the targeting that is used in their campaigns. In June, the European Union’s highest court ruled that marketers are responsible for how data is used in marketing campaigns — even if they never directly touch the data.”

Wow, pretty crazy, right? Ryan goes on to mention that marketers who haven’t already done data protection impact assessments should, like yesterday. This is, after all, a GDPR guideline under Article 35.

While Ryan says that “change has yet to happen,” regarding data collection, he does talk about Google and other companies that have failed compliance. For them, Ryan mentions “things are looking bleak” and “they will be forced to reform.”

Overall then, we’d say that the GDPR has worked and will continue working. With the number of companies not yet in compliance, it might seem like the GDPR has had only a minor impact. However, precautions have been taken and penalties levied at those companies that have made serious compliance mistakes. Even huge brands like Google aren’t exempt, with investigations lobbed against them now. That says a lot.

The Future of the GDPR

That brings us to another interesting question. What will the GDPR look like in the future? While it’s hard to say, we think that getting large brands like Google, Amazon, and Apple onboard with compliance would go a long way. These are major companies that handle the data of millions of people day in and day out. That data comes from customers across the world. These three brands could act as the yardstick in which smaller brands could learn a thing or two about compliance.

Other companies that have yet to follow GDPR regulations because they perceive punishments as lax or nonexistent ought to perk up if even Google gets penalized. While PrivateSec Reports says money has a lot to do with non-compliance, is it the only reason? The primary one? It’s tough to say.

If the GDPR begins seriously enforcing punishable mistakes, then incompliant companies will have no choice but to shape up. Otherwise, they’ll face six-figure fines that could drive their businesses into the ground. The reputation of these companies could get trashed once the general public learns who’s in compliance and who isn’t. All that will hurt their wallet later than to pay to make compliancy changes now.

Listen, at the end of the day, we all care about our customers’ privacy, or we should. While it’s not easy or convenient to get into compliance with the GDPR, if it makes the customer experience better, then it’s worth doing.


Last year, EU data privacy regulations went into effect under the GDPR. Now that we’re into June 2019, it’s been a little over a year since that fateful day of May 25th, 2018. What have we learned since then?

Well, per data from 2019, up to 50 percent of companies still lack compliancy with GDPR regulations. That’s up from July 2018, in which 80 percent of companies were incompliant. Still, a 30-percent increase in compliant companies over a six-month span doesn’t cut it. Those oft-feared fines have been doled out to companies deserving of them. These six-figure fines should scare some companies towards compliancy.

While bigger brands like Google, Amazon, and Apple have yet to get onboard with GDPR compliance, that doesn’t mean your business should follow in their footsteps. These huge companies can afford a few fines. Can you? Do you even want to chance it?

The GDPR may have gone into effect a year ago, but it’s never too late to get compliant. If you haven’t reworked your company’s privacy policy, opt-out rules, third-party vendors, and other areas of personal data usage, today is a great day to start.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top