Part 2 - GDPR @ 2 years and beyond

The General Data Protection Regulation (EU/2016/679) (GDPR) is two years old! To celebrate, in Part 1 of our 2-part series, we looked at the trends we have seen in 2019 and 2020, the biggest fines that have been received, and in this Part 2, we consider how we can all play a part in its future. 

It goes without saying that the GDPR is a world-leading standard in privacy matters.

The EU Vice-President for Values and Transparency and the EU Commissioner for Justice, Vēra Jourová and Didier Reynders, declared when celebrating its second anniversary that the rules set out in the GDPR have shaped not only the way we deal with our personal data in Europe, but have also become a reference point at global level on privacy.

In the last two years, citizens of the EU and businesses have become more aware of the importance of data protection, and the EU has supported this growth through online relationships. It has now consulted 4.3 million businesses and citizens online and assisted them with their data protection queries. The Information Technology Industry Council has agreed that the GDPR is a landmark regime which has transformed data privacy.

In Part 1 of this 2-part article, we discussed a few of the cases, sanctions and key policy areas that have involved the GDPR. One thing is clear - whilst the GDPR may be a gold-standard for privacy protection, it is not without its pain-points, typically as technology has so rapidly developed since recent the inception of the GDPR.

Indeed, the European Council has recognised in its yearly review of the GDPR that, while the GDPR has been an important milestone for data privacy, new technological developments present specific challenges as they develop so quickly.

This means that while everyday life and technology moves quickly there is the danger that the adaptable rules that were developed are left behind, with a lack of concrete decisions from supervisory authorities.

So, how can we approach the development of the GDPR when balancing the rights of data subjects with the usual day-to-day necessities that businesses have?

Looking to the future 

For now, the GDPR is certainly a gold standard which all businesses can aim for- even if some of the rules are arguably onerous.

It would be great to see the GDPR being more refined for certain innovative technologies such as artificial intelligence and machine learning, with exceptions being carved out for personal data categories such as biometric data to allow the technologies to develop.

For this, we await the e-Privacy Regulation which was supposed to come into force at the time of the GDPR. We also await more concrete guidance on how EU-UK data transfers may be affected at the time of the GDPR’s third birthday, when the UK should no longer be a member of the EU.

Of course, we are also anticipating the effects of Brexit,  with Michel Barnier stating after round 3 of the Brexit negotiations that the path the UK seems to intend to take on data protection is “concerning”.

The CNIL has announced that in the second year of the GDPR, 64,900 organisations have appointed a data protection officer which is an increase of 31%.

A data protection officer can assist businesses in these everyday balancing tests, and we encourage all businesses concerned with their privacy obligations to consider doing the same- check out more in-depth guidance on whether your business might need a data protection officer here!

Jourová and Didier in their statement have advised that while the privacy landscape in Europe has been changed, compliance is a dynamic process that will not happen overnight, and the EU does not think that national data protection authorities have reached their full authority yet.

Looking to Year 3

The priority for the third year of the GDPR is to continue to ensure the rules are applied uniformly and appropriately, and to facilitate the implementation of the rules. It hopes to engage with international partners to continue to develop privacy standards and promote the innovation of new technologies. 

The Information Technology Industry Council has suggested that there remains challenges relating to funding and harmonised application. It believes that national data protection officers require more access to funds so that they can develop further guidance and implement certification schemes for international data transfers. It also hopes for a “One-Stop-Shop” mechanism, to allow national data protection authorities to lead cross-border investigations.

So, it looks like the future of the GDPR depends on a collaborative approach to continue between businesses and their counterparts. It is up to us, as innovators, to promote a culture of data privacy within our businesses. With authorities sticking to their promise of avoiding a hard application of sanctions and rules, it seems that we must lead the way by interpreting the rules and applying them to everyday business life. 

To get started with this, check out some guidance from the UK ICO has published SME specific guidance and support, including resource pages, FAQs and templates!

Lastly- do not get complacent. While the fines issued tend to be a last resort, they are substantial and would heavily affect a business. As well as this, even in the absence of a fine, if business was negatively looked on by an authority the effects on reputation and customer trust could be serious.

If you have any questions about how you can adapt your business to be compliant and contribute to the development of the GDPR, please don’t hesitate to get in touch!

Article by Lily Morrison @ Gerrish Legal, first published on Medium in May 2020 / Cover photo by Glen Carrie on Unsplash