GDPR and Privacy
By: James Azar
It’s now over a year since the implementation of the General Data Protection Regulation (GDPR) and the Data Protection Act 2018.
The impact has had far reaching and global consequences and will continue to do so.
How it started:
January 2012, the European Commission laid plans for data protection reform across the EU.
Make Europe 'fit for the digital age'.
This took several years to decide exactly would be involved and realistically, what they would be enforceable.
The major instrument to drive change was the General Data Protection Regulation (GDPR) which would apply to organizations that work in the E.U. or who trade services or goods within the E.U.
What is GDPR?
A set of rules and regulations which are specifically intended to give EU citizens more power over their private information. The intention was to move away from the confusion caused by the extreme disruptions of the cyberspace and streamline supervising body for businesses, in the interests of both businesses and consumers operating in the digital age.
From social media to retailers, services are collecting and analyzing personal data, names, social security and credit card details are collected and stored by companies. The GDPR reforms are a set of laws and obligations that pertain to this area of - personal data, privacy and consent.
What is compliance?
The GDPR set a precedent in the cyber regulatory landscape which although catering to European individuals and business rights and responsibilities in Europe, has sent shockwaves across the world. Companies have to ensure that personal data is gathered in a lawful way and under strict conditions, but those who collect and manage it must protect it or face penalties for not doing so or pay large fines and penalties.
How has it been working out?
Whilst many were either under or overestimating to what extent the GDPR would increase protection for citizens and increase responsibilities for organizations, we can now reflect on what we have actually learned from the implementation of GDPR over the past year.
1. They weren’t just talking
There have been countless examples of implementation of the regulations across industries and countries, which have brought even the tech giants to task. In early 2019, Google was given the largest fine of $57M handed out under GDPR so far, for lacking transparency when it comes to how Google collects and utilizes personal data for ad-targeting purposes. However, multiple smaller organizations have been fined, including a €220,000 fine issued to a Polish company in for failure to inform individuals that their data would be processed.
2. Countries are handling their affairs in the same spirit but at different levels.
These fines, notably stem from different GDPR regulatory services, the Google fine was dished out by CNIL, France’s National Data Protection Commission and the smaller fine originated in Poland. Fines can have a significant impact on the reputation and profits of organizations but it doesn’t stop there, companies also have to be very aware of temporary or indefinite suspension of services. This happened in an example from Holland where the Dutch Authority has meted out sanctions the country’s tax authorities for using the national identification number as part of the VAT return number for self-employed persons, due to a potential identity fraud risk.
3. DPAs are growing
In the early months of the GDPR, many DPAs (Data Protection Authorities) were exploratory, offering advice and guiding companies who were in breach of the new regulations. This period is coming to a close and DPAs are clamping down with fines and other sanctions, which in the news is dominated by misconduct by tech giants but in reality, applies to thousands of small companies.
We have been listening and California has applied its own version of the GPDR, the California Consumer Privacy Act (CCPA) which will go into action in 2020. The laws, inspired by GDPR, cover data subject rights.
To find out more about the GDPR, checks out the Goodbye Privacy Podcast.