3 Glorious Years of GDPR and Its Correlation to Brexit Crisis
In the last 3 years, we have seen different ways organizations trying to meet GDPR guidelines, and often losing the way due to political and regional crises. Today, GDPR completed 3 years of its existence. However, the GDPR’s impact has been mixed, and some consumers still lack confidence that their data is now better protected than before.
As of January 2021, European data protection authorities have imposed 661 fines totaling more than $331 Million since the law went into effect.
In a joint letter, German Chancellor Angela Merkel, Danish Prime Minister Mette Frederiksen, Estonian Prime Minister Kaja Kallas, and Finnish Prime Minister Sanna Marin said it’s time for Europe to become “Digitally Sovereign”. And, GDPR provides this wonderful opportunity to organizations based in Europe to meet sovereignty benchmarks.
According to IBM, GDPR is a solid ground to build a strong data privacy framework that benefits both users as well as companies collecting data. IBM states, “The GDPR (General Data Protection Regulation) seeks to create a harmonized data protection law framework across the EU and aims to give back to data subjects, control of their personal data, whilst imposing strict rules on those hosting and processing this data, anywhere in the world.”
To better understand the various ways GDPR influences corporate governance, especially in Brexit era, we sat down with few industry leaders.
Blockchain Foundry Announces Phase 2 Blockchain Development Agreement with GDPR Compliance Solution…
This is what they had to say about GDPR’s current form and shape.
Landmark Accomplishment Diluted by Weak Enforcement
Data privacy expert and CEO of Duality Technologies, Dr. Alon Kaufman, has commented on the GDPR’s three-year anniversary:
“When the GDPR came into effect three years ago, it was a landmark accomplishment – the world’s first multinational, comprehensive legislative act to protect data privacy. Yet paradoxically, the perspicacity behind the GDPR has also been its Achilles heel, as other jurisdictions have legislated parallel privacy rules – leading to discrepancies that often impair organizations’ ability to conduct vital cross-border data collaborations, introducing a new level of complexity in global digital cooperation. This can impact international collaborations, i.e. healthcare institutions carrying out vital research into curing diseases or financial institutions striving to prevent money laundering.
Last year’s ‘Schrems II’ ruling, which invalidated the ‘Privacy Shield’ loophole which had permitted US-EU data transfer, was an unforeseen yet inevitable outcome of European policymakers’ attempts to regulate data exchange. Moving forward, the use of Privacy-Enhancing Technologies (PETs) to facilitate secure data collaborations – increasingly endorsed by regulators across numerous industries – can provide a way out of this regulatory logjam. PETs can allow multiple parties to collaborate on data despite competing data privacy regulations – even across borders – and their widespread rollout will be necessary as more and more countries develop their own privacy frameworks. Three years on from the GDPR’s introduction, it is possible for the public to simultaneously enjoy personal data protection while also reaping the rewards of data collaboration.”
Nicola Howell, Managing Attorney, Legal at Dun & Bradstreet UKI and Europe, said, “It’s been three years since the GDPR became law in the UK – so what has changed since May 25th, 2018? For one, we have left the European Union. A new president has come into power in the US. And the global pandemic has disrupted all industries. Despite all of this, the GDPR has become an essential directive across Europe. The regulation is no longer a phrase that sends shivers down the spine of business.
However, many businesses are rightly discovering that GDPR compliance has more utility than simply avoiding a nasty fine – it’s a marker of an organization that invests in accurate, up-to-date and secure data processes.”
GDPR Pushing the Online Economy toward First Party Data System
Oliver Betts, Head of Data Strategy at MediaCom, said, “Data has been at the heart of both the media and marketing industries for a long time; but with GDPR having restricted the ways that personal data can be collected and used, and Google reducing the ability of cookies to collate user data, the industry is set for a seismic shift from a third-party-centric model to a first-party centric one. Already, the GDPR has created an increased reliance on first-party data, and brands that struggle to collect this data on the same level as they could purchase third-party data will face huge ramifications.”
Oliver continued, “The brands with the biggest chance for success in a GDPR and post-cookie era are data rich advertisers and retailers – such as Sky and Amazon – with the means of capturing large amounts of personal data directly from consumers. The data from these companies – and particularly the walled gardens of Facebook, Google et al – are going to be a lot more valuable than before. Those without the means to collect customer data directly from their sites or platforms will find it much harder to acquire data that gives them valuable insights into consumer behavior.”
“These technological changes in how brands can collect data will have a far larger impact on how the industry operates than just GDPR alone – which now feels like an aperitif to what will be the main course that is a cookieless future. What we can expect to happen next is that in exchange for more of consumers’ data, brands will incentivise consumers so that they can actually use their data. Whether that’s a retailer offering customers 20% off their next sale or even loyalty points, consumers will likely part with their data if there is a compelling reason to. This is what we call “zero-party data”, and is likely the future of customer data collection.”
With GDPR, Complacency Is Never an Option
European General Data Protection Regulation (GDPR). Data security specialists comforte AG issued the following comments from product manager Trevor Morgan:
“GDPR provides procedural standards that are intended to raise every person’s and every organization’s awareness to the right to data security. As such, it is instrumental in building the culture of data privacy and protection that citizens of the European Union (and world) deserve. GDPR continues to influence other national jurisdictions as they grapple with the same issue of data privacy and handling, and as they try to create that same culture within their borders. Nothing is perfect, but GDPR has been a significant force for good in the fight to protect peoples’ most sensitive information. Has it made things a little tough for many companies? No doubt. Is it worth it? Just think about whether you want your personal data mishandled by unregulated companies.
Millions of dollars (and euros) in fines have been issued to violators of GDPR. Enterprises spend many millions, maybe billions, more attempting to comply with GDPR through procedural refinements, compliance monitoring, and tool acquisition. The fact that GDPR codifies data protection standards and associated fines for non-compliance means that more and more enterprises are doing their best to handle, process, and store peoples’ data more safely. Ask any of the violators of GDPR whether it’s more bark than bite, and I think you’ll find that the answer is obvious. Has GDPR forced perfect compliance? No, not by a long stretch. However, people now in the EU have a better chance at data privacy than they did before GDPR. It’s definitely not just bark.
GDPR and its stipulations are responsible for many positive changes in the way organizations handle and process sensitive information collected from the public. In a sense, one of the main purposes is to raise consciousness on the pervasiveness of sensitive data and how companies should treat individuals’ private information. As such, it’s all about building that culture of awareness. One of the requirements mandated by GDPR is for specific types of organizations to institute a role focused on the strategies and tactics of data protection: the Data Protection Officer (DPO). The role requires not only an awareness of the legal and regulatory requirements of GDPR and associated data privacy best practices but also how the enterprise functions and works with data so that workflows, technologies, and employees can comply with it. Having a function dedicated to making sure that data privacy is a main goal of the company—that abiding by a culture of data security is a responsibility and not just an option—is better than having no internal oversight or a de-centralized influence. The effective DPO can raise awareness, help determine risks, and mitigation issues in order to make sure that the enterprise complies with GDPR.
More and more companies are aware of data protection because of GDPR, and of course more recent regulations in other jurisdictions have been greatly influenced by GDPR. Whenever something is codified, it becomes easier to understand what needs to be done to meet the minimum standards of behavior. This is especially true not only with enterprises that must comply with GDPR but also with the many technology vendors who bring to market tools to help automate and make more efficient the data handling process. GDPR spells out what companies need to do in order to keep sensitive data safe, and that also guides how data security technology evolves to meet the needs of companies wishing to maintain compliance with efficiency and effectiveness.
We are seeing that other nations are issuing data protection laws to oversee data collection, handling, and processing activities within their jurisdictions. Therefore, companies (especially multi-national ones) need to understand which of these newer mandates affect them. Complacency is never an option. However, we are watching the evolution of data security technologies—in part spurred on by GDPR and other laws—to protect data better with less pain and effort on the part of the organization. Automation, machine intelligence (machine learning and artificial intelligence), and better data protection methods that are more data-centric (protecting the data rather than borders and perimeters around that data) are game-changers. In the next few years, we will see that technology makes compliance with GDPR easier and more effective with less human intervention, thereby protecting peoples’ sensitive data more effectively in the process, all at a decreasing cost to the enterprise.”
[To share your insights, please write to us at firstname.lastname@example.org]