The EU General Data Protection Regulation turns two as society embraces an even greater reliance on the digital economy. While much of the world remains in a COVID-19 induced lockdown, more and more people are turning to tele-health, distance learning, and remote offices to facilitate a new normal. This experience has brought with it some obvious takeaways (such as, working from home is hard in a pandemic), but it also highlights the importance of data protection and privacy as we turn to a new level of internet-dependent connectedness.
Entering into full force on May 25, 2018, GDPR created a largely uniform approach for how personal data is collected, stored, processed and disposed of by entities within EU member states. Also applying to entities that operate within the EU or whose customers are located within member states, GDPR cast a wide net for those who need to achieve compliance.
To understand if the regulation impacts your business, it is important to start with some basics. For starters, you must understand where your company is based, where customers are located, and how it manages the data it holds. Next, it is important to understand how GDPR defines personal information and what companies it designates as a controller or a processor.
Under GDPR, principles were established for processing personal information — which it defines as any information relating to an identified or identifiable natural person. Among some of its requirements, GDPR stipulates that personal data must be processed “lawfully, fairly and in a transparent manner,” be collected for “specified, explicit and legitimate purposes,” and that entities implement data minimization and limitation. It also standardizes requirements for breach notification, the right to be forgotten and consent.
The impact of GDPR’s passing and implementation has been much more than the hefty fines associated with noncompliance, although the threat of €20 million or up to four percent of a company’s annual turnover was enough to garner significant attention. To date, member states have collected more than €460 million in fines and more enforcement is on the horizon.
GDPR created a new norm for consumer’s data expectations. While there may have been an informal grace period, the proliferation of privacy legislation means that companies must have a clear understanding of the data they hold and treat it responsibly — whether it be for compliance with GDPR or the next privacy regulation coming down the pike.
Regions such as Brazil and California have drafted and enacted similarly minded privacy legislation aimed at requiring companies be better data stewards and placing more power in the hands of the consumer. In a post-GDPR world, good data governance is increasingly seen as an essential strategic move for a company.
Privacy requirements have undergone a remarkable transformation over the past few years. Despite the pace of change, there is still more to come. Regulations will be ironed out, fines will be levied, and clarity will follow. As a company, if you haven’t taken steps to address what data you have and understand its lifecycle, it would be wise to start the process. Two years late is better than not showing up to the party at all.