GDPR - the rigorous regulation for storing and processing the personal data of EU citizens - came into effect over one year ago. Businesses have scrambled to comply or, in some cases, thrown up their hands and carried on as before. But has the agony and expense been worthwhile – and is there a reckoning ahead for complacent companies? Read on for an update on GDPR developments, crackdowns, public opinion, and the inescapable B word.
GDPR: The Basics
- The General Data Protection Regulation (GDPR) was established to create a smooth flow of data between EU member states and give people greater power over their personal data and how it is stored and used. It came into effect on 25 May 2018 and applies automatically to all EU member states.
- It was felt that new laws were needed to reflect the rise of social media and large-scale internet use, and to make it cheaper and easier for companies to comply with a single set of rules.
- All businesses – even those outside the EU – must comply with GDPR if they have data belonging to EU citizens, residents or businesses.
- GDPR states that personal data must be processed lawfully, transparently and for a specific purpose, and people must understand why their data is being collected and how it will be used. Consent for data use must be recorded, and consent can be withdrawn at any time.
GDPR One Year On - What’s New?
Personal data redefined
The GDPR definition of personal data has expanded. This means that as well as an individual’s name, address and date of birth, their IP addresses, location and cookie data also count. Even data disguised by pseudonyms could contravene GDPR rules. Companies are also limited in the way they can use information that indicates ethnicity, religion, sexual orientation or political views.
DPAs are getting tougher
In the early days of GDPR, many of the Data Protection Authorities (DPAs) began with investigations designed to offer guidance to companies and help them comply. Over a year later, this friendly grace period is over, and sanctions are being enforced against industry giants and smaller organisations in several countries.
The whopping fines dished out for GDPR violations this year – including a £99 million fine for Marriott International and £183 million for British Airways – are making companies hot under the collar. But in fact, the regulation makes it clear that fines must be proportional, so if you’re largely compliant and make a minor slip-up, you’re unlikely to receive a severe penalty. The UK regulator, the Information Commissioner’s Office (ICO), says it views fines as a “last resort”.
International response to GDPR
GDPR is influencing global legislation in countries outside the EU, with new data protection laws established in African and Asian countries keen to do business with the bloc. Further afield, Brazil has created its first General Data Protection Law, which comes into effect in August 2020, and in the US the GDPR-inspired California Consumer Privacy Act is applied from January 2020.
GDPR impact on AI technology
Some businesses are becoming increasingly frustrated by the limits GDPR places on developing new technologies. Organisations must explain how they use personal data in artificial intelligence systems, and in automated decision-making such as mortgage applications. AI systems are now so complex that it’s harder to explain and document how they make decisions. The Financial Times predicts that businesses “unable to comply … will end up eschewing advanced AI systems altogether.”
GDPR Consumer Opinion
Despite the insistence of EU policymakers that more regulation would increase consumer trust, a recent European Commission survey found that GDPR has had no impact on consumer trust in the digital economy since it came into force in May 2018.
According to a Eurobarometer survey published earlier this year, 67% of European respondents have heard of GDPR, but 31% don’t know exactly what it is. 73% have heard of at least one right GDPR guarantees, but 27% haven’t heard of any of them.
When it comes to privacy policies published on websites, 60% of respondents read them, but 47% only partially read them, with 66% saying they are too long to read and 31% that they are unclear or difficult to understand. This suggests that in an effort to be sufficiently thorough, many companies have failed to use the “concise, transparent … clear and plain language” demanded by the regulation.
GDPR and Brexit
As GDPR was implemented before the UK withdraws from the European Union, the UK must still comply. The UK government have created a new Data Protection Act, which replicates the key principles of GDPR.
Under this act, non-compliant organisations can be fined up to £17 million, or 4% of global turnover, whichever is highest.
By aligning with GDPR, the UK hopes the EU will allow personal data to flow freely from the EU to the UK. However, an adequacy agreement can only be negotiated once the UK leaves the EU. The agreement could take months to implement, so businesses will have to find alternative legal methods for receiving data from the EU.
Once the UK has exited, it will have no say in the development of data protection law in the EU, despite being one of its key authors. Information commissioner Elizabeth Denham confirmed that the UK “will be a less influential regulator” with no say on how GDPR is interpreted, or how tech giants are regulated.