5 Years of GDPR: Touchdown PR Explores The Legacy of The Legislation To Date
By Olivia Manning, Account Manager
A lot has happened since the General Data Protection Regular (GDPR) first came into effect under EU law five years ago. The regulations require organisations to take proactive measures where data privacy and security is concerned, with many companies successfully adapting to the GDPR legislation. However, non-compliance has resulted in significant penalties. Since its genesis, there have been an accumulated 1600 fines for breaching GDPR regulations, totalling a combined sum of €2.78bn.
It’s fair to say that it’s not always been smooth sailing. There have been inevitable hurdles due to the nature and specificity of GDPR laws and their complexities. However, the regulation has prompted significant improvements in governance, awareness and monitoring regarding the use of consumer data. It has developed a common language for businesses to discuss data privacy and protection, setting the standard for legislation across the globe.
GDPR legislation has also adapted to suit the needs of evolving technologies such as virtual reality (VR) and artificial intelligence (AI), persevering through a period of massive innovation. However, in post-Brexit Britain, as the world continues to grapple with new technologies, a shadow of doubt has been cast over the future of GDPR. The question remains: Will it stand the test of time?
What were the major changes that GDPR involved?
Looking back at where it all began, GDPR legislation replaced nearly two decade-old data protection rules across Europe. The regulation was designed to “harmonise” data privacy laws across all member countries, providing better protection and rights to individuals, introducing a number of big changes.
Coming into effect on 25th May 2018, the main changes the act introduced were:
1. Appointing Data Protection Officers: Organisations that process a lot of sensitive personal data or have large-scale “regular and systematic monitoring” of individuals are required to appoint a Data Protection Officer (DPO). The DPO must report to senior management, monitor compliance with GDPR legislation and be a point of contact for customers and employees.
2. Changing valid consent rules: GDPR legislation strengthens an individual’s rights around automated processing of data. This means people must be provided with an explanation of any decision made about them. Individuals are also given the power to get their personal data erased in certain circumstances e.g. when it is no longer needed for the purpose it was collected, if consent is withdrawn or if it was processed unlawfully.
3. Introducing internal data transfer restrictions: GDPR legislation introduced a number of rules about transfers of personal data to receivers located outside the UK. Referred to as a ‘restricted transfer’, it ensures that personal data rights must be protected unless one of the few exceptions applies.
4. Data processors now have direct legal obligations: While processors have less autonomy over the data they process, they have several direct legal obligations under GDPR legislation. For example, processors can only process the personal data on instructions from a controller, with whom they must enter into a binding contract with. Processors can be held liable for non-compliance if they don’t adhere to these rules.
5. Data Protection Impact Assessments introduced: Data Protection Impact Assessments (DPIA) were introduced as a process to help identify and minimise the data protection risks of a project. It is mandatory for any processing that is high risk to individuals and considered good practice for any major project which requires the processing of personal data.
Initial responses to the UK GDPR laws
For some experts, GDPR legislation was considered an evolution of existing data protection principles rather than a complete overhaul of rights. However, it was the toughest privacy and security law in the world and signalled the EU’s firm stance on data privacy at a time when breaches were a daily occurrence. Organisations were warned of stricter regulations and higher noncompliance penalties, making the hundreds of pages worth of new requirements a daunting prospect for many. In particular, smaller firms and startups were concerned about having the resources available to comply with the new rules.
In the first year alone, there were $63 million of fines issued as a result of non-compliance. The biggest to date was the €746 million imposed on Amazon by Luxembourg’s National Commission for Data Protection in 2021, alleging the company had used customer’s private data to target advertisements without consent. However, aside from the high profile cases of Amazon, British Airways, Meta and Marriott Hotel, many believe most fines thus far have been a slap on the wrist – with the ICO even sometimes coming under fire for being too lenient.
The GDPR legislation has also come under scrutiny over the years, for being “large, far-reaching, and fairly light on specifics.”
The future of GDPR
Since Brexit, the UK continues to follow GDPR legislation. However, this is all up for change. Recently, the government announced plans to introduce a Data Protection Reform Bill which looks set for a “rights haircut and a slow drift away from the EU standard.” This will lead to new regulations and policies that businesses must adhere to.
We asked some of our clients to weigh in about what this means for the future of GDPR legislation and how companies can ensure they’re acting compliantly.
Alev Viggio, Director of Compliance at Drata, explains: “The challenge here is that many businesses will still have to adhere to EU GDPR and this new system pending their customer base – this can create confusion and complexities in any compliance programme, especially when considering the consequences of fines and violations if they fall out of compliance.”
“As the world becomes increasingly interconnected, the best way for organisations to protect their data is ensuring an integrated governance, risk and compliance (GRC) approach,” adds Gary Lynam, Director of Customer Success, EMEA at Protecht “A centralised and cohesive system that simplifies evolving requirements of GDPR rules and its new UK Data Protection and Digital Information Bill, and effortlessly keeps pace with future regulatory changes and data protection challenges.”
In our rapidly evolving modern world, keeping pace with regulatory changes is no easy feat. Drata’s Viggio adds: “Generative AI, for example, is rapidly shaping our landscape and challenging our idea of what constitutes personal data and data privacy. With the new UK GDPR update in effect, and new emerging technologies, companies must take proactive measures to ensure compliance or face the consequences of non-compliance.”
As generative AI tools take the world by storm, organisations need to develop and update governance around its usage in the workplace, considering the security, privacy, confidentiality and ethical implications, Asha Palmer, SVP Compliance Solutions at Skillsoft, agrees.
“Creating a holistic generative AI governance structure that is sustainable, trustworthy, and transparent will require shared accountability between those developing the tool and those using it. All stakeholders must come together to understand the risks and consider what protocols are, or should be, put in place to ensure GDPR compliance.”
Want to ensure total compliance with your own operations? Our clients are on hand to help. And, for a fully compliant digital strategy, choose Touchdown PR and showcase your brand in all of the right ways with our PR, analyst relations, and global communications expertise.