The General Data Protection Regulation (GDPR) is perhaps the EU’s best-known and most-misunderstood law.
PrivSec Focus: GDPR 4 Years On is a livestream experience taking on 25 May to explore the first four years of GDPR enforcement. I asked four speakers at the event about the law’s impact—and how they feel it could be improved.
The GDPR’s Influence on Society and Business
The GDPR made some important changes to EU data protection law, including new definitions of “personal data” and “consent”, some new data subject rights and—of course—those steep, steep fines we heard so much about in the run-up to enforcement.
But many of the regulation’s rules and principles date back to the Data Protection Directive (which passed in 1995) or even Convention 108 (signed 1981).
Perhaps the most important effect of the law has been on attitudes rather than legislation.
“For me, the biggest impact the GDPR has had on society has been the promotion of privacy to general conversation,” said Laurence Lawson, Privacy Specialist at Ericsson.
“Everyone seems to be discussing privacy these days, and becoming more privacy-conscious.”
This cultural influence can also be seen within organisations, said Enrique Angulo, GDPR SME at Yorkshire Building Society.
“The GDPR brought a radical shift in how organisations view ownership and treatment of personal data,” he said.
“While previously, most organisations felt entitled to use personal data any way they saw fit, nowadays every employee dealing with personal data needs to ensure that the information is processed lawfully and securely.”
And the influence on business goes right to the top, claims Bradley Tosso, Director of Information Rights and Operations at the Gibraltar Regulatory Authority.
“As a result of the GDPR, data protection is increasingly present in boardrooms around the world and consumer decision making, transforming business practice and consumer behavior.
“This is evident in our day-to-day regulatory engagement with organisations and citizens,” Tosso said.
The GDPR’s influence has spread beyond the EU, with many “third countries” having strengthened their data protection frameworks and regulatory oversight since the law passed in 2016.
Emma Martins, Data Protection Commissioner for Guernsey, said the Bailiwick’s equivalent of the GDPR “has had a big impact in that it prompted the creation of a new independent regulatory office.
“Setting up a new office, finding the right staff and putting in place the necessary operational and governance frameworks is a big task and takes time.”
Room for Improvement
Announcing its plans to reform the UK’s data protection laws, the government described the GDPR as “highly complex and prescriptive”, encouraging “excessive paperwork” and creating “burdens on businesses with little benefit to citizens”.
Criticism of the GDPR from within the data protection community is generally more measured.
“I think the best way to improve the GDPR is to actually fully use it,” said Ericsson’s Lawrence Lawson.
“We’ve barely seen any activity with some transfer mechanisms such as ‘codes of conduct’ or ‘certification mechanisms’ which could fix a lot of problems.
“Correct guidance is needed here from the EDPB (the European Data Protection Board),” Lawson said.
Bradley Tosso from the Gibraltar Regulatory Authority agreed.
“The GDPR is a journey and not a destination,” he said. “The regime will evolve further as we continue on this journey.”
“An area of particular interest is the further development of certification and codes of conduct to expand the regime’s toolbox, regulatory reach and resource.”
One aspect of the GDPR that data protection experts, including European Data Protection Supervisor Wojciech Wiewiórowski, do criticise is the “one-stop-shop” mechanism.
“In practice I believe the ‘one-stop-shop’ mechanism has been confusing and inconsistent when dealing with large multinational organisations,” said Enrique Angulo.
“The reasoning is sound but I think the way it operates and coordinates with the various supervisory authorities needs to be improved.”
Guernsey Data Protection Commissioner Emma Martins said the GDPR is “a significant piece of legislation” and that “there will always be elements which can be improved.”
“But, rather than just thinking about how we can improve it, I would like to encourage everyone to look at how it can improve us,” she continued.
“The principles are sound and require us to treat individuals with fairness and dignity—it is a subject on which we may have different views or answers, but it is not something which should be bargained about.”