Authors: Marloes de Bruin & Riesa van Doorn
Today marks 4 years with GDPR since it came into force in 2018. For many organisations, the GDPR initially caused quite some chaos. Often, it wasn’t immediately clear what was coming to them. A lot of new rules and adjustments, that’s for sure. Although not every organisation fully complies with the GDPR after four years (if that is even possible), most have managed to adapt themselves well over the years. Many ‘best practices’ have been put into place in order to protect people’s personal data and prevent data breaches. GDPR goes beyond an added big ‘administrative’ task. We look back at 4 years with GDPR. What has it brought us and what’s its impact? Read along!
1. Growth of EEA suppliers
Four years ago, organisations had a lot of freedom when choosing suppliers to work with. With the arrival of the GDPR, however, they started to look more consciously at the geographical location of their suppliers. After all, this location could potentially have major consequences. The GDPR states that when personal data is processed withinwithin the European Economic Area (hereafter ‘EEA’), no additional rules apply. Opting for a supplier outside the EEA however, may be a bit more complicated, sometimes even illegal. A significant example is the 2021 decision made by the Datenschutzbehörde (‘DSB’, the Austrian Data Protection Authority) that deemed the use Google Analytics unlawful. International Data Transfers from the EEA to the US fall under GDPR rules. Without Privacy Shield in place however, the USA cannot guarantee it’ll protect personal data sufficiently, nor appropriately, making the usage of US-based cloud hosting providers (such as Google & Google Analytics), for EEA-based companies illegal. Because of this, EEA companies choose more often for Cloud hosting suppliers within the EAA itself. A major consequence is a positive impact on these suppliers. Not only have they augmented their market share considerably, they also matured greatly in terms of privacy and data protection and have thus emerged as a strong competitive force for their USA-based competitors
2. Political step for the EU
Since the GDPR came into force, the European Union has taken a step forward in preparing organisations for the future. More and more organisations aim to be data-driven. There’s a reason as to why we refer to data as the ‘new gold’. Organisations collect lots of data, often also personal data, for various reasons. However, it’s become harder to share personal data with organisations outside the EEA. This has ensured that countries around the world have followed the EU in their design and implementation of a similar legislations. Think of the LGPD from Brazil, the Personal Data Protection Act from Japan and the Canadian Digital Charter Implementation Act. The EU has put itself in a strong position on the world political stage through the GDPR.
However, this dominant position of the EU has diminished as a result of the war in Ukraine. Europe’s dependence on the US in the context of defence and gas, for example, means that concessions have to be made on issues such as data protection. New legislations such as the Digitals Services Act, and the Digital Markets Act are aimed at European digital sovereignty and the strong dependence on big data and tech players.
3. More data conscious as a citizen
Data has an increasing influence on our actions and our lives (whether we notice it or not). More and more organisations process all kinds of data on a daily basis, but also at home, we use brand new technologies to make life easier, faster and more efficient. Where some people prefer to stick to their old, reliable Nokia 3310, others can’t wait to install all the smart devices and applications to improve life. From apps, smartwatches, smartphones, smart homes or even smart cities, innovation and development with data creates a different (easier?) life.
Although the GDPR had little brand awareness among citizens at the beginning, the Global Privacy Monitor 2022 shows that awareness has doubled in 2022 compared to 2018. Privacy concerns among citizens are decreasing and the sharing of data is seen as a crucial part of participating in society and the economy. Many people share data when they get something in return, such as certain services, and almost half of citizens only share data with organisations they trust. Side note here is that we almost all accept all kinds of cookies- and privacy statements online without actually reading them. Nevertheless, we are becoming more aware of our rights in the field of data sharing and what impact this has on us as individuals.
4. More control over the digital landscape as an organisation
Organisations with a lot of data struggle to gain control over their digital landscape. Especially within the theme of data, there is often compartmentalisation within large organisations. You’ll find someone responsible for privacy and someone for information security, not to mention the other data-related functions such as a data analysts, information management, data stewards,.. . Employees who enthusiastically want to start a new project must first ask advice from various departments before they can actually get started. And although this can often be organised better, organisations have increasingly thought about the use of personal data. In many cases, this has led to decisions such as the retention or reuse of data and created more overview of what kind of data they actually have in-house. This data is handled more consciously and there is more control over what they do with it.
What the future brings after 4 years with GDPR…
… is still a mystery. Step by step, all ambiguities are eliminated and clear rules are drawn up. To ensure the right culture and mindset, a lot of consultation and awareness is still needed, yet we all know that attention to data protection and information security is not something temporary. Just like quality management, digital working and sustainability, these works are slowly but surely being safeguarded in our way of working. Innovative and changing technologies undoubtedly present a major challenge, which will also continue to evolve the GDPR. Happy Birthday GDPR! On to the fifth year. Wondering what the future brings.