The data conundrum: assessing the GDPR’s quinquennial

September 2023  |  FEATURE | DATA PRIVACY

Financier Worldwide Magazine

September 2023 Issue

The anniversary of a regulation is generally no cause for reflection. More often than not, such anniversaries pass with little comment. However, this is not the case with the European Union’s (EU’s) General Data Protection Regulation (GDPR), one of the most significant pieces of legislation ever devised.

Passed by the European Union (EU) on 25 May 2018, the GDPR – encompassing 99 articles, 173 recitals and 160 pages of text – imposed data privacy and security obligations directly in EU member states, as well as on companies outside of the EU that target services at individuals in the EU based on the processing of their personal data.

The legislation can also levy harsh fines against those who violate its privacy and security standards, with penalties reaching into the tens of millions of euros. With the GDPR, Europe signalled its firm stance on data privacy and security at a time when more people were entrusting their personal data to cloud services and breaches had become a daily occurrence.

“The GDPR has redefined data protection and privacy globally, and has had a profound impact on many companies,” contends Robin Campbell-Burt, chief executive of Code Red. “It has compelled all manner of companies, both within Europe and internationally, to reassess their data handling practices and enhance extant security measures.”

The legislation’s universality is also a key asset. “Companies often find the nature of data and the cost and time spent on compliance means it may be easier to have one standard set of terms rather than unique sets,” says Jennifer Huddleston, technology policy research fellow at the Cato Institute. “This is particularly true given other countries have passed similar data protection laws in the years following the GDPR, many of which have similar requirements.”

Among the countries influenced by the GDPR is the UK, which enacted the Data Protection Act (DPA), and the US, wherein the state of California introduced the California Consumer Privacy Act (CCPA) – two pieces of legislation, like the GDPR, that came to pass in 2018.

“The GDPR has introduced a higher standard for data privacy and become the de facto rule for many companies around the world that also operate in Europe,” adds Ms Huddleston.

Enforcement of the legislation has also been rigorous in many quarters. The Irish DPA (DPC), for example, recently fined Meta Platforms Ireland Limited €1.2bn for its failure to properly protect Europeans’ data when transferring it to the US. One of Europe’s smallest countries, Luxembourg, has been active, levying a €746m fine on Amazon in 2021. Other jurisdictions, such as Spain, Italy, Germany and Romania, have also imposed hefty fines according to the GDPR Enforcement Tracker.

On the whole, the general consensus is that the GDPR has done much to shape data protection practices globally over its five-year lifespan. An overall assessment of the true impact of this behemoth of EU data protection requires a careful unpacking of its multitude of principles, clauses and components.

Assessing the GDPR

Across its five-year existence, the GDPR has made public sector and other organisations accountable for documenting their data processes. It seeks to create transparency around processing and build trust between controllers and data subjects.

Undoubtedly, the GDPR has significantly expanded and broadened the reach of existing privacy laws from what they were prior to May 2018. According to TechTarget’s ‘Business benefits of data protection and GDPR compliance’ analysis, there are six key areas, outlined below, where the regulation has helped companies streamline and improve their core business activities.

First, easier business process automation. Many astute enterprises use their GDPR compliance responsibilities to take a hard look at how well they are managing customer and client data storage, processing and management responsibilities. Whether it is streamlining data processing and lifecycle workflows, data hygiene and cleanup or even greater awareness of security vulnerabilities, there are numerous advantages to be gained through GDPR compliance over and above privacy considerations alone.

The European Commission is looking to correct some of the GDPR’s flaws to allow for a more rapid and forceful response to data privacy violations.

Second, increased trust and credibility. Article 5 of the GDPR includes seven fundamental principles: lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality, and accountability. These principles form the basis and rationale for most laws within the GDPR and are fast becoming the universal data protection principles internationally.

Third, a better understanding of the data being collected. When approached logically, GDPR adherence gives companies a greater understanding and appreciation of their data and how it moves throughout their organisation. With the GDPR’s assistance, marketing and sales teams can, for instance, acquire enhanced oversight into who they can legitimately market products and services to. This approach typically results in smaller and more engaged audiences that are easier to address and manage.

Fourth, improved data management. Many companies have reinforced their data protection programmes by appointing someone to be in complete charge of data use and compliance issues. Typically called a chief privacy officer (CPO) or a data protection officer (DPO), this individual is charged with deploying methods to identify, map and track data flows throughout a company.

Fifth, protected and enhanced enterprise and brand reputation. By protecting consumers’ privacy, organisations not only avoid potential penalties, but can also unlock hidden reputational and brand value. Indeed, GDPR compliance is becoming an increasingly necessary benchmark for companies providing services, as well as for those hoping to distinguish themselves to prospective consumers.

Finally, an even privacy playing field. Prior to the GDPR, companies doing business in the EU frequently faced unfair competition from organisations that paid little or no attention to personal privacy. In such an environment, ethical companies fumbled about as they tried to determine how to reach a level of privacy that protected customers and clients without placing their organisations at an untenable competitive disadvantage.

“The GDPR’s foremost benefit has been reshaping the corporate mindset around data privacy and fostering a culture of respect for personal data,” adds Mr Campbell-Burt. “It has provided companies with a rigorous framework for data processing, transforming practices from data collection to storage and use.

“With enforced transparency, data subjects gained unprecedented insights into how their data is used, breeding trust,” he continues. “The GDPR’s main success in these five years has been the heightened awareness and commitment to data protection globally.”

Less sanguine as to the merits of the GDPR’s track record is Ms Huddleston. “While I am generally critical of the more regulatory approach taken by GDPR and the trade-offs associated with it, one advantage is it created a more uniform solution around certain data protection issues like data breach among European countries,” she asserts. “This is particularly seen around data breach related issues.”

Compliance barriers

Unfortunately, for all its real and perceived benefits, many companies still face several barriers regarding GDPR compliance, including its complexity, a lack of awareness, limited resources, cross-border data transfers and evolving regulations – challenges they must address to protect data privacy and avoid non-compliance penalties.

“The GDPR has increased the barriers to entry for smaller businesses and startups looking to enter the European market,” observes Ms Huddleston. “This has been seen both in terms of decreased investment in these companies as well the decreased entry of new apps. There are also new concerns arising about the possibility of conflicts between the GDPR and new proposals like the Digital Markets Act (DMA).”

For Mr Campbell-Burt, a significant hurdle for many companies is the tendency to underestimate the demands of GDPR compliance. “The GDPR is often seen as a tick-box practice, so many companies are only compelled to meet the bare minimum rather than fostering a culture of continuous improvement in data security,” he suggests.

Additional GDPR compliance challenges for companies include keeping up with the complex and evolving nature of the regulation, reconciling it with other global data privacy laws, and investing in necessary infrastructure and training to maintain compliance.

Correcting flaws

Despite the GDPR’s undoubted influence on companies’ personal data handling over the past five years, there exists a fierce debate between European regulators as to how successful the legislation has been in holding tech giants to account. To this end, among others, the European Commission is looking to correct some of the GDPR’s flaws to allow for a more rapid and forceful response to data privacy violations.

“To enhance GDPR’s effectiveness, the EU should introduce stricter enforcement mechanisms and higher penalties for big technology companies violating privacy rules,” suggests Mr Campbell-Burt. “There should be expedited procedures for handling violations and increased collaboration with international regulatory bodies. Such corrections would help to deter non-compliance and ensure the accountability of large corporations.”

That said, any corrections must observe the basic tenet of all data science that privacy does not exist in a vacuum. “While many people value privacy, the impact of the GDPR must be carefully examined to determine if such a regulatory regime actually improves privacy, or merely increases the costs of doing business via compliance requirements while having potential negative consequences on other values like speech and innovation,” adds Ms Huddleston.

Delivered or broken promises?

Ultimately, an assessment of the GDPR is likely to hinge on the extent to which the legislation has delivered on its original promises; that is, to “improve both the internal market dimension and protection of citizens, by providing greater control over their personal data in the digital era and by establishing legal consistency”. In many quarters, the ‘jury remains out’ as to whether these promises have been delivered or broken after five years.

“The GDPR was the continuation of a more regulatory approach to technology policy in Europe and its costs in terms of decreased investment and innovation not only impact regulated companies but European users who have fewer options,” observes Ms Huddleston. “This approach appears to particularly target large, successful American companies for European regulation and is further seen in recent actions like the Digital Services Act (DSA) and the DMA.

“With regard to GDPR specifically, we will likely see more conversations emerge about the potential difficulties in launching innovative technologies like artificial intelligence (AI) and blockchain that may struggle to comply with the requirements of GDPR,” she continues. “Additionally, there remains a question as to whether the GDPR actually improved privacy in meaningful ways or merely created new costly compliance requirements.”

As assessed by Mr Campbell-Burt, the GDPR will continue to evolve to address emerging technologies, such as AI and biometrics, as well as emerging challenges. “The legislation has been instrumental in setting a global standard for data privacy, but it needs continuous refinement to ensure its effectiveness,” he concludes. “While the GDPR has fulfilled many of its promises, the journey to complete data protection is a long road and one we are still navigating.”

© Financier Worldwide

BY

Fraser Tennant

©2001-2024 Financier Worldwide Ltd. All rights reserved. Any statements expressed on this website are understood to be general opinions and should not be relied upon as legal, financial or any other form of professional advice. Opinions expressed do not necessarily represent the views of the authors’ current or previous employers, or clients. The publisher, authors and authors' firms are not responsible for any loss third parties may suffer in connection with information or materials presented on this website, or use of any such information or materials by any third parties.