GDPR – From Principles to Opportunities
The General Data Protection Regulation (GDPR) is a regulation in the European Union (EU) law which enforces as well as standardizes practices of data protection for data subjects which are EU citizens, or individuals who reside in the European Economic Area (EEA). The EEA includes Norway and Switzerland alongside EU Member States. It was drafted in the European Parliament on April 14, 2016, and it was implemented on May 25, 2018. Even though it is a regulation which is implemented by the Member States of the EU and EEA, because it is applicable to subjects who are citizens or residents of these countries, it has global consequences. That is, even if an organization is not based in the EU, but collects, stores and/or processes data of EU citizens, that organization is required to comply with the GDPR.
The GDPR has emerged as a need to respond to data privacy in an era where digital presence is inevitable, and with it, privacy has become an increasingly distant notion. As such, this regulation per se is not entirely unprecedented in the nature of its subject – since countries like Germany or France have had data privacy laws in place which are even stricter than the GDPR – but its complexity, comprehensiveness, territorial coverage and applicability are indeed unprecedented. And it came as no surprise that the consequences for the big data players championed by Google and Facebook would also be as unprecedented. It has been a year since the GDPR has been implemented and among the most notorious consequences are the expected fining of Facebook of 1.6 billion dollars because of noncompliance, and the most bitter of them all, that of Google which was fined a staggering 57 billion dollars – a fine which is currently being appealed.
Among the 99 articles of the GDPR, the principles which dominate the legal and privacy rights background are “consent”, “privacy by design”, “right of access”, “right to be forgotten” and the “right to be informed”.
- Consent entails that the subject data must be presented with the consent option and must choose beforehand whether to accept or decline the request for his/her data to be collected by the service provider (in this case data collector). The way the request for consent is presented should be strictly unambiguous.
- Privacy by design, as the name suggests, means that the technology of the systems that are to collect data should incorporate data protection in their genesis.
- Right of access is a principle which grants the data subjects the right to ask for the data that the data collector possesses of them, how do they process it and with what third parties they share it with.
- Right to be forgotten is a central part of the GDPR because it is the first step towards the next major granted. In other words, the data subjects have the right to ask the data collector (processor) to permanently erase all the data they possess on them. It is through the “right of access” that the data subject is made aware whether any sensitive or personal information on him/her is stored by the data collector. If we take a look at the natures of the fines so far, we can definitely say that where organizations fail the most to conform is to grant “access” and the “right to be forgotten” to data subjects, mostly by missing the tightly regulated deadlines and timeframes to respond to the requests or execute them, and in some cases also failure to inform the data subject, as a right granted by the “right to be informed”.
Except for the legal, financial and data protection hassle and speculation that the GDPR has caused to many, it has also presented a lot of opportunities of a novel nature. Apart from the legal professionals, who have had a lot to study and monitor, but also a lot of new work opportunities, the world of certification and auditing has also seen interesting, rather prosperous openings worldwide. Not to mention the fact that information security professionals have seen the most rapid increase of demand for their work, since the GDPR has an article which forces organizations which operate with sensitive data, no matter their size, to employ a full time Certified Data Protection Officer. So, in other words, it is truly the golden age of information security professionals, both in the implementation and auditing fields.
In order to ensure compliance with the GDPR, organizations must undergo auditing. For organizations which already have in place standards, such as the king of information security standards – the ISO 27001, it does not require a lot of additional work to be compliant with the GDPR, since in principle a good portion of the doctrine of information security should already be implemented and working, and under continuous monitoring. However, organizations which deal with sensitive data and are not compliant or certified against any standards on information security will have to do the extra work in order to be compliant and make sure they do not get fined.
In any case, the implementation of the GDPR is definitely a positive development in an era where connectivity, in its most dominant form, has become of utmost essentiality and as every other positive advancement comes with costs. This cost is a sacrifice in privacy and many consider that the enlightened pioneers of data privacy in the 70s (which was a time when also principles such as “privacy by design” were born but not brought to life until the 90s) were not taken as seriously as they should have been.
In other words, not only are regulations like the GDPR essential, but comparing it to the pace of the advancement of technology, are a bit belated, and this has caused a lot of trouble to individuals as well as big companies in all industries – from technology, to hospitality, credit card processing, banking and so on.