GDPR five years on

Technology

Christopher Gill at ISMS.online explains how the General Data Protection Regulation is changing data protection across the world

The introduction of the General Data Protection Regulation (GDPR) by the European Union (EU) in 2018 has seen significant changes in how individuals’ personal data is handled. Namely, the legislation has enabled a higher standard of protection across the EU, giving citizens more control over where their data goes. The law has also seen standardisation in data protection across the EU, replacing the previous patchwork of member states’ national regulations.

Now, five years on from its adoption, we explore some pertinent questions: why was it introduced, and what did it replace? How is it shaping data protection standards within and outside the EU? Given the increasingly data-driven world economy, we will also explore some of the ways in which the future of data protection could take shape.

One bloc, one law

A major impetus for designing data regulation at the EU level was to standardise data protection laws across the bloc. Previously, member states presided over legislation at the national level, which was underpinned by the EU’s 1995 Data Protection Directive. The new arrangement also sets out fines for organisations found to have breached their obligations, with penalties of up to 4% of total turnover being applicable.

This “harmonisation” holds many advantages for both businesses and privacy professionals – only having one framework to keep track of makes dealing with consumer data across the bloc much easier. As a result, regulatory bodies can better hold companies accountable for any breaches. This is because its simplicity fosters a kind of “no excuses” approach to compliance, meaning businesses will have a higher overall enforcement rate – and understanding – of the regulations.

Applying one consistent standard across Europe also enables businesses to expand and grow their customer base within the EU. If other regulations could achieve this level of standardisation, businesses would have even more advantages operating in a more economically integrated Europe.

More than a ripple effect

Moving away from Europe, the impact of the GDPR has been felt worldwide. Despite being an EU regulation, organisations across the globe are required to align with its standards in multiple cases – companies with an EU presence and those dealing with EU citizens’ data will be required to adhere to the GDPR.

This has raised general awareness of the importance of data protection worldwide and has started a global conversation about how this can be improved. We have already seen how the GDPR has become a catalyst for similar legislation in other countries – California’s 2020 Consumer Privacy Act is a prime example.

The GDPR also creates incentives for businesses to apply its standards universally. The European market is lucrative, so if companies have to adhere to the GDPR to handle EU citizens’ data, they are more likely to apply the same standards in other markets for simplicity’s sake.

Enhancing trust and other benefits

The GDPR sets out seven fundamental principles that form its foundations. These include lawfulness, fairness, transparency, accuracy and accountability. These easy-to-understand principles empower the consumer to understand better what companies do with their data. Furthermore, this understanding sets consumers up with the expectation that those handling their data will “do the right thing”.

If companies can demonstrate a commitment to these principles, they will be rewarded with a higher degree of trust from their customers. Of course, better customer relations naturally lead to increased customer retention. Furthermore, higher data protection standards give organisations a competitive edge, so there is potential to increase market share through adopting the regulation.

Adopting the GDPR also enables companies to know their customers better. For example, the marketing team can use the framework to ascertain the groups to which they can market their products or services. The resulting smaller group will be easier to engage with and more receptive to marketing content.

Current and prospective employees will also welcome greater data protection at work. This gives businesses an edge in the labour market, as employees will feel more at ease with how the company handles their data.

Five years of GDPR: enforcement in review

Since one of the GDPR’s main objectives was greater accountability for non-compliant businesses, it would be expected for fines to be given out swiftly and frequently. However, the number of penalties and the amount businesses have been forced to pay have proved lower than expected – just 839 fines have been issued so far.

Furthermore, despite being aligned on the law itself, enforcement varies wildly between member states. Spain is currently the bloc’s leader in enforcing the principles of the GDPR, having issued 277 fines since the law came into force. However, the largest fine to date was issued by Luxembourg against Amazon (€745m), a decision the logistics giant plans to appeal.

Conversely, Ireland’s Data Protection Commission (DPC) has been called out for failing to issue fines quickly enough to non-compliant companies within the country. This is an issue: Ireland hosts many of the world’s tech giants – including Google, Twitter and Facebook – but its under-resourced, under-funded data protection body severely limits its ability to enforce the GDPR.

The case of Ireland highlights another significant roadblock – businesses are often better-equipped than the regulatory bodies charged with policing them. This has resulted in businesses investing in legal support to identify the “weak spots” within the regulations and enforcement bodies. This has resulted in reduced fines, and many cases – including one against Google- have been overturned entirely.

The disparity between expected and actual enforcement of the law has raised an important question – is the much-lauded GDPR merely a “toothless tiger” in practice? While it may be tempting to say “yes”, this would ultimately be an unfair judgment. The goal of harmonising data protection across all 27 member states is massive and cannot be achieved overnight. Therefore, we must consider the successes to date as important milestones in this long journey.

The future of global data protection

A true pioneering piece of legislation, the GDPR reflects a growing global need to take data protection more seriously. As companies’ operations become more data-driven, the rise of Data-Protection-as-a-Service will see the sector grow by as much as $18.95 billion by 2026.

Furthermore, the increased use of personal data in businesses’ day-to-day operations will see ever-harsher penalties for non-compliance. We are already seeing the effects of this threat: an IAAP study found that GDPR-compliant businesses increased by 7% between 2020 and 2021, comprising almost half (47%) of respondents.

Splendid (data) isolation?

The UK is currently reviewing the Data Protection and Digital Information Bill. This Bill, if passed, would open up a sizable chasm between UK and EU data protection regulations. The developments resulting from this “deharmonisation” will be interesting to follow – how will the existence of two divergent frameworks impact businesses in Europe? What will the costs be? Will companies have to choose, and if so, which side will they choose?

Incremental improvement

The EU’s General Data Protection Regulation has far-reaching effects on how we view data security worldwide. Its goal to harmonise regulatory standards across the 27-member bloc will revolutionise how business is conducted in Europe. But its impact has been felt far beyond the EU, and all companies dealing with European data must comply.

Given the size of the Single Market, mandating compliance for companies wishing to operate in Europe provides a real incentive for global businesses to adopt the GDPR universally. There are other benefits, too: better data protection will encourage customer loyalty and give companies a competitive advantage.

Brexit and the UK’s choice to pursue regulatory divergence will have consequences, especially for smaller businesses operating in both orbits. However, it is difficult to say what they will be at this early stage.

The last five years have tested member states’ abilities to enforce the regulations with varying results. However, we must remember that the GDPR is still in its early stages and not mistake teething problems for failures.

As businesses become more data-driven, European regulators must be ready to act when the rules are breached. If this can be achieved, Europe will be the gold standard for data protection worldwide.

Christopher Gill is Governance, Risk Management, Compliance and Audit Specialist at ISMS.online

Main image courtesy of iStockPhoto.com