I think most people have heard about the General Data Protection Regulation (GDPR). Still, the subject is not the sexiest topic to discuss during informal conversations. Many people see the GDPR as a liability (too many rules) instead of a guideline to defend people’s privacy in a world where data rules and private data are available and traded without the knowledge of the final owner of this data: you.
Most security awareness training programs touch on the GDPR subject, but many people feel that this is a (boring) topic for lawyers. This mindset is a complete misassumption because individuals can create unwanted situations for an organization by treating (private) information in an unsecured way, leading to data leaks that might trigger fines and awful PR for an organization. However, the contrary is the case. GDPR guidelines are essential to your risk management strategy, and following the GDPR principles improves the security of your most valued corporate secrets (personal information, Intellectual Properties, inventions, strategies, etc.). Because GDPR is a critical component in your risk management strategy, it is not surprising that GDPR is also an essential topic in the ISO27001 certification. And with the increase of data and the increase of (European) legislation regarding this data, this role will only increase. In this post, I will discuss the origins of the GDPR and why the GDPR affects not only EU legislation and other countries. Additionally, I will explain why GDPR is necessary to keep an eye on as a data processing organization and why it also affects organizations outside of the EU.
GDPR Origins
Experts regard the EU’s General Data Protection Regulation (GDPR) as the world’s strongest set of data protection rules since its introduction. As our online presence increases through social media, digital banking, and other means, countries worldwide have realized that they cannot be left behind when protecting their citizens’ data.
GDPR was adopted in Europe on May 24, 2016, and became fully effective on May 25, 2018. Building on previous European laws from the 1990s, GDPR wants to harmonize data privacy laws across the EU and better protect its citizens through 7 core principles, including transparency, purpose limitation, accuracy, and others.
Why the GDPR is Unique
What makes GDPR unique is that its scope extends beyond the borders of the EU, meaning that any organization handling the personal data of EU citizens is subject to European law no matter where it is in the world. Three years after its application, GDPR fines in the third quarter of 2021 totaled € 1 billion worldwide, 20 times more than combined in the year’s first two quarters. The largest fine in the regulation’s history was charged to Amazon in 2021 for a whopping 746 million euros.
The most recent acceptable date of 2 September 2022, when the Data Protection Commission (DPC) fined the owner of Instagram, Meta, 405 million euros. The European Data Protection Board (EDB) judged that processing children’s data was not necessary for the performance of a contract or Meta’s legitimate interest, meaning that Meta infringed Article 6(1) of the GDPR because it processed personal data unlawfully without an appropriate legal basis. The decision of the EDB Chair was historic: it was the first EU-wide decision on children’s data protection rights. The decision is (again) a heads-up for organizations that the GDPR is equipped with rigorous data protection standards, leading to considerable penalties if not applied carefully.
Meta will appeal the DPCs ruling, but the chance of reversing the decision is slim. A critical mental note for organizations that process vast chunks of data: you always have to check if all your collected data is in line with GDPR guidelines to prevent any bad surprises (fines, lawsuits, etc.).
GDPR: an evolution in privacy law, not a revolution
GDPR makes a difference for EU residents and inspires other countries to amend or introduce privacy laws like its European counterpart. From Brazil’s LGDP to Qatar’s Law No. 13 of 2016, GDPR is the world’s leading privacy law.
Elizabeth Denham, Information Commissioner of the United Kingdom, described GDPR as evolutionary rather than revolutionary. Although privacy laws already existed in various parts of the world, with the German state of Hesse being the first in 1970, GDPR has built on its foundations by tightening specific standards and introducing new approaches to data protection. Concepts such as data subject consent distinguish GDPR from its predecessors.
While GDPR is undoubtedly not perfect, as evidenced by criticism of its vague provisions and lack of guidance and clarity about international data flows, it is currently one of the world’s most severe data protection laws.
Many countries are adopting legislation similar to GDPR, including for financial purposes. Smaller countries that want to trade with the EU within European borders and European companies operating outside are required to follow European law, prompting their legislators to adopt similar standards. Chapter V of GDPR states that you are not allowed to transfer the personal data of EU nationals to third countries unless the country’s regulations are deemed adequate, or appropriate safeguards are maintained. Because of these regulations, other countries are “forced” to introduce regulations aligned with GDPR standards, meaning evolution. Nations are not forced to change but “go with the flow” to be able to do business with the EU in the most practical (risk-aversive) way. The “go with the flow” approach is more evolutionary than revolutionary because the EU doesn’t impose any rules on other countries: they are free to set up their standards, safeguard compliance with EU standards, or even stop doing business with the EU at all.
How GDPR inspires US privacy regulations
As discussed previously, the two companies that received huge fines were US-based, meaning that US companies are in the line of fire when doing business with the EU. The current US data privacy situation is a patchwork of laws created independently by states without an overarching national law. According to the International Association of Privacy Professionals, 20 U.S. states have proposed their privacy laws by 2021, with many taking inspiration from GDPR. As discussed previously, this is a double-edged sword: the states strive for more data protection for their citizens while protecting businesses against EU fines and law procedures for crossing GDPR law with their guidelines aligned with EU legislation.
An example of a US state law that aligns with GDPR is the California Privacy Rights Act of 2020 (CPRA). The CPRA was passed on 3 November 2020, built on the previous California Consumer Privacy Act of 2018, and shares several similarities with its European counterpart. Among other things, the law provides rights to children’s data and its use, collecting, transferring, and deleting personal data, and the possibility of fines for data breaches. The law is user-centric because it gives California citizens more rights and protections. The law will take effect in 2023.
Following the Californian CPRA, the state of Virginia will enact Virginia’s Consumer Data Protection Act (CDPA). The law gives consumers the right to see, obtain, delete and correct personal data collected by a company. It also includes the definition of “sensitive data” in the same sense as GDPR. These two examples show US states closing in on GDPR with their legislation. Still, it also indicates a defragmented legislation landscape through all US states: no national legislation on privacy is similar to GDPR. A 2021 Morning Consult poll found that 83% of U.S. voters believed that passing federal data privacy legislation was a “top priority” or an “important but low priority.”
The future of data protection legislation
With a rapidly evolving technological landscape and a desire to safeguard the personal rights of individuals worldwide, data protection regulations will continue to evolve. The European Union is in the lead of this endeavor and has announced a series of bills in 2021 that will complement GDPR. These include the Digital Governance Act, the Data Act, the Cybersecurity Act, and the ePrivacy Regulation. Time will tell how these laws will impact an international scale.
India will also introduce its data protection bill soon. The Indian government was inspired by the GDPR when creating this bill. Because of this, the bill has many similarities with the definition of data consent, data trustee, and the timing for reporting a data breach. Experts on privacy law expect that Indian regulations will have a strong international impact because of the number of people and India’s role in the global data economy.
Final Thoughts
As the world shifts to a more digital reality following the COVID-19 pandemic, data protection and the rights of our personal information will continue to be embedded in national laws, constantly evolving with new technologies and international regulatory landscapes. Organizations should keep their eyes open because of the continuous increase in data storage. In many cases, organizations don’t even realize they are managing data in a way that is not compliant with GDPR guidelines, meaning that they risk fines and lawsuits initiated by the DPC.
By continuously verifying your data with GDPR, your organization mitigates the risk of non-compliance with GDPR and ISO27001. In my opinion, organizations can best accommodate this task at the ICT department responsible for maintaining and expanding an organization’s Data Warehouse in collaboration with the HR and legal departments. By appointing a Data Protection Officer (DPO), you secure the safety of your data. You can assign a DPO internally, but you can also outsource this task to an external party. In addition to that, organizations require a Chief Information Security Officer (CISO).
Based on practical experience, I note that many organizations appoint a CISO and a DPO, utilizing this “ceremonially.” By this, I mean that the CISO/DPO doesn’t work on creating, optimizing, and maintaining an Information/Data Security Framework because the persons in these positions are already absorbed with other tasks. The function of CISO/DPO is then not actively performed. Senior management might first see the investment in a CISO and DPO (you must split both positions) as a “money sink.” Still, the examples in this post show that these positions are essential in the long run with your risk management strategy.
Feel free to contact me if you have questions or in case you have any additional advice/tips about this subject. If you want to keep me in the loop if I upload a new post, make sure to subscribe, so you receive a notification by e-mail.
