The General Data Protection Regulation (GDPR) was adopted on May 25, 2018. The GDPR replaces the 1995 data protection derivative and sets specific data protection regulations. The GDPR applies to all organizations with EU or national customers and any data, including personal data, processing activities, and storage.
The objective of GDPR is to state that businesses that handle user data must take measures to prevent accidental or unauthorized access, destruction, alteration, or use. They must also ensure that data is quality controlled to protect against corruption.
However, today, in the fourth year of its implementation, 27% of companies are still not GDPR compliant. There can be various causes behind this, such as the complexity of the GDPR, the lack of knowledge about it, the high cost of implementation, etc.
So, what can we expect from GDPR in the future? Can it become more lenient, or will it stringently be enforced? Let’s look at some possible aspects of it in this article.
Current status of Global Data Protection Regulation
Ever since its inception, GDPR has been making headlines for various reasons. Its launch brought a lot of awareness about data privacy and protection among common people.
However, for those looking to be GDP-ready in the next year but haven’t implemented changes yet, 100,000 records were breached on average. The largest percentage of data breaches occurred with laggards who have not made any preparations for GDPR–for them, the average number of records lost was 212,0000. Therefore, the change is evident, and companies are putting efforts into making it more resilient.
The best example is Norway, which, in the fourth year of GDPR, hopes to send personal data to the US safely. The country has been putting efforts not just to limit the GDPR rules and regulations but to go beyond that and ensure extra safety.
Like all other European Union nations, Norway has also established its own rules. These include credit referencing and on-camera surveillance in an employee context. Furthermore, they have regulated the laws surrounding employers’ access to employee work files and employee emails and data collection in the healthcare sector.
Norway’s data protection authority is Datatilsynet, and they aim to meet GDPR compliance and exceed it. In the past four years, the DPA has sanctioned fines to many public sector entities which failed to follow the GDPR compliance. These companies weren’t following the legal procedure, and data was being processed without ensuring proper security.
To date, the biggest fine imposed by Datatilsynet was on a US-based dating app Grindr. It issued a fine of $7.4 million to Grindr (reduced later) for sharing user data illegally with the advertising companies. Norwegian DPA stated that no company pursuant to the GDPR could share user data without a legal basis.
The legal basis for data sharing can be consent; that is, a necessity to provide the service or the company’s interests in sharing data are more important than the users’ freedom and rights. However, explicit consent is required if a company wants to utilize user data in most cases.
Changes we can expect in GDPR in the future
When we examine the impact of GDPR in the previous three years, it appears to be effective. The current regulation protects people’s data privacy while allowing companies to process personal data to keep their businesses running. GDPR allows these things to occur while simultaneously protecting the fundamental human data privacy right.
However, there’s always some space for improvement, and GDPR also has those gaps. Therefore, many people act on a personal level. For instance, users download VPN applications to improve privacy and anonymity online. After all, a Virtual Private Network encrypts internet traffic and hides IP addresses. Therefore, it becomes easier to evade various types of tracking and privacy invasions.
The most common issues with GDPR
- Procedure. As per the Norwegian DPA’s experience, they think there’s still some space for improvement in procedural structure. They expected that within the past four years, companies would have brought in more transparency regarding handling user data. There were hopes that users would have more control over their data, but it didn’t take shape even today. Therefore, we might see some procedural changes to fill these gaps in the coming years.
- Compliance. There are still many companies that are not compliant with GDPR. The regulators expect that in the next few years, more companies will make efforts to comply with GDPR. Also, now that people are becoming more aware of their data privacy rights, they will pressure non-compliant companies. In this way, we can expect better compliance from companies in the future.
- Data transfer policies. Many EU countries face problems transferring personal data into the US. It makes using the US service providers problematic even when the data is stored in Europe because it comes under US jurisdiction. At the same time, European countries are not ready to lower their security standards for the sake of transferring data. Therefore, to resolve this issue, some development is under process.
GDPR has been successful in protecting people’s data privacy to some extent. However, there are still many companies that need to improve their compliance. In the coming years, we can hope more countries join GDPR and make some procedural changes to make it more effective. Also, the US and Europe might develop a new framework for data transfer, which will benefit both sides.