GDPR: 5 Years later, where are we?
Five years ago, the world of data protection changed forever with the introduction of the General Data Protection Regulation (GDPR). The GDPR set a new standard for data protection as it established a comprehensive framework of rules for the processing of personal data. In the years since its introduction, the GDPR has had a significant impact both in Europe and beyond its borders. Within the EU, it introduced a new way of envisioning personal data protection and led to the creation of a new dynamic for companies processing personal data. Concretely, it introduced new actors in charge of ensuring the concrete application of these provisions, whether at a company level with the creation of the Data Protection Officer (DPO), or at a national level with the increasing enforcement power given to Data Protection Authorities. In parallel, outside of the UE, it became a real inspiration for other countries.
As we celebrate the fifth anniversary of the GDPR, a new decision from the Court of Justice of the European Union (CJEU) has just been issued. This demonstrates once again how relevant it is to look closely at both the importance of the Regulation, and the way it has transformed the world of data protection.
A European initiative impacting data processing worldwide
An inspirational regulation
Since its entry into force in 2018, the GDPR has had a significant impact on data privacy regulation around the world. This is primarily explained by the extraterritorial nature of the Regulation, i.e., that it is applicable to not only data controllers and processors established within the EU, but also to those established outside of the EU that process the personal data of EU citizens. If this extraterritorial reach was regarded as a constraint to some foreign actors, it is to be noted that some States understood the importance of the dynamic set by this Regulation, and consider it an example to follow.
This is particularly the case for Brazil’s General Data Protection Law (LGPD) which came into effect in September 2020, or South Africa’s Protection of Personal Information Act (POPI Act) which was revised several times to align with GDPR before coming into force in 2020. Both of these legislations are directly inspired by the European GDPR. Some other countries such as Japan, South Korea, Argentina or Canada have modified their legislation to match the standards set in the GDPR. This alignment of foreign legislation is still ongoing, as the Indian Parliament is currently considering a similar data protection legislation. Who knows how many countries will have adopted a GDPR-like legislation in 10 years!
The Adequacy Decisions
Besides the proud success of the GDPR worldwide, this interesting dynamic also creates a win-win situation for several actors. In fact, if a non-EU country adopts a legislation similar to the GDPR, it is more likely to be considered as offering a sufficient level of data protection, and thus to benefit from an “Adequacy Decision” notification from the EU Commission. This adequacy decision makes companies’ lives easier letting them transfer personal data without having to carry out long and complex assessments. Isn’t it wonderful?
These Adequacy Decisions have become the symbol of the EU influence in the data protection world. In this adequacy decision journey, it is interesting to mention the case of the United States.
Although the US benefited twice from an adequacy decision – the Safe harbour and the Privacy Shield – both were later invalidated by the EU. For now, transferring personal data to the US is a real challenge and most international companies have to go through long processes to justify and secure these data transfers. There is a clear need for a new adequacy decision, and the EU intends to play a significant role in the creation of this tool.
This new agreement represents an opportunity for the EU to push for better personal data protection laws in the US. As the negotiations are ongoing, the EU has made it clear that it expects the US to make significant improvements to its data protection laws if a new agreement is to be reached. In particular, the EU has called for greater transparency around US surveillance practices. Will the US follow the path towards European standards? Negotiations are ongoing, and only time will tell!
GDPR enforcement in Europe
While the GDPR marked a significant turning point for personal data protection, there is still work ahead to ensure that companies fully comply with its provisions. EU regulators have reported numerous instances of non-compliance since the implementation of the GDPR, resulting in significant fines.
The financial penalties can be as high as €20 million or up to 4% of the annual global turnover. In addition, these sanctions can be made public, which is not negligible for the image and reputation of companies.
Companies must take data privacy seriously and avoid common mistakes such as excessive data collection, lack of informed consent, lack of security measures, keeping data for too long, and non-compliance with GDPR rules.
A widespread misconception is that only big companies are fined. Yet, the GDPR makes no distinction between large and small businesses when it comes to data protection obligations. All businesses must comply with the provisions of the GDPR and must take steps to protect the personal data they collect and process. Fines imposed on non-compliant companies are based on the severity of the breach and the company’s financial ability to pay the fine, rather than its size or turnover.
While it is widely appreciated by the public to see the largest companies in the spotlight as bad performers, they are by no means the only ones affected by the fines. The fines listed here demonstrate it. The spectrum is so wide that it goes from GAFAM to the small Kebab shop fined 180 euros for non-compliance with general data processing principles. The era when small businesses thought they were safe from everything is well and truly over.
The role of the DPO and how Headmind can help you
The GDPR created a new role in companies, the Data Protection Officer (DPO), to ensure that organisations comply with the regulation’s data protection requirements.
The DPO plays a critical role in protecting individuals’ privacy rights and ensuring that organisations process personal data in a transparent, lawful, and fair manner. Their role includes advising on data protection impact assessments, ensuring that employees are properly trained on data protection matters, and acting as a point of contact for data subjects and regulators.
The DPO must be versatile, with a broad range of skills and knowledge, to effectively carry out their responsibilities and support the organisation’s compliance efforts.
Having a DPO in place is not only essential for legal compliance, but also for building trust with customers and stakeholders. It demonstrates that your company takes data protection seriously and is committed to protecting the privacy and rights of individuals.
HeadMind Partners offers professional DPO services to help organisations ensure compliance with data protection laws and regulations. Our team of experts can provide guidance on all aspects of data protection, from data processing and storage to cybersecurity and risk management. By working with us, you can have peace of mind knowing that your organisation is compliant with data protection laws and regulations, and that you are doing everything possible to protect your customers’ data. In order to provide this quality of service, HeadMind Partners constantly perform a detailed legal watch, ensuring that we do not miss the latest legal twists and turns, such as the most recent decision of the CJEU confirming that there is no threshold for GDPR damages. Better GDPR safe than financially sorry !
Hosna Iranmanesh & Kassandra Mas
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation-GDPR)
- Protection Of Personal Information Act (POPI Act)
- Brazilian General Personal Data Protection Act (LGPD)
- CJEU Press Release n°72/23, Judgment of the Court in Case C-300/21 | Österreichische Post (Non-material damage resulting from unlawful processing of data) https://curia.europa.eu/jcms/upload/docs/application/pdf/2023-05/cp230072en.pdf