The General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) has been in force in the Member States of the European Union for three years. Generally speaking, it has been five years since the GDPR came into effect in 2016, however, the anniversary date of 25 May 2018 marks the end of the two-year transition period granted to companies and public bodies to implement the new uniform data protection requirements in practice.
What you need to know in a nutshell
- After three years, the GDPR is present in daily business practices, as well as in everyday legal life
- In 2020 alone, fines of around 160 million euros were imposed across Europe.
- The GDPR has sustainably strengthened the fundamental right to informational self-determination.
- Over half of UK businesses aren’t compliant with the GDPR more than 15 months after its introduction
- 25 May 2018 was the day that set the framework for data protection awareness and assisted in strengthening the right to privacy
- The majority of companies now see data protection under the GDPR as a competitive advantage
In this article
- GDPR: Progress for data protection or a blunt sword?
- What does the GDPR actually mean, what is its significance?
- Where do we stand after three years of the GDPR?
- Was 25 May 2018 a good day for data protection?
- What is the significance of the GDPR outside Europe?
- What will happen to data protection in the future?
GDPR: Progress for data protection or a blunt sword?
May 2018, when the new data protection law became binding throughout Europe, many companies were not prepared despite the two-year transition period. Some saw themselves at a disadvantage in international competition and refused to comply in the hope that the new requirements would remain a damp squib. Others simply lacked the manpower and expertise to implement them. What many had in common was that they perceived the GDPR as an undesirable hurdle and a business nuisance.
What is the situation today, three years after entering into force?
The GDPR has certainly not been a damp squib. On the contrary: in 2020 alone, fines of around 160 million euros were imposed on companies and public institutions across Europe. It is not only large corporations that are affected with fines in the millions. The majority of violations are committed by small and medium-sized businesses, which then usually have to deal with painful yet often manageable fines, (see the fines database of the GDPR portal). The high profile cases are more likely to cause a stir and raise awareness for data protection in a way that is both effective and sustainable, especially since the majority of them could have been easily avoided by taking appropriate measures in good time (more under Fines and the GDPR: Avoiding fines safely).
What does the GDPR actually mean and what is its significance?
The purpose of the GDPR is to strengthen the fundamental right to informational self-determination. This right is enshrined in Article 8 of the EU Charter of Fundamental Rights. From the perspective of the EU Parliament, a new legal framework became necessary due to digitalisation and developments such as Industry 4.0, Big Data and networking through cloud computing that have significantly changed the possibilities of using personal data. The People's Republic of China is considered a negative extreme example: with comprehensive state surveillance of the individual and digitally supported social scoring for individual behaviour.
The framework to prevent profiling
To prevent profiling by state or private actors in Europe and to protect the individual's fundamental right to informational self-determination, the EU created a binding legal framework with the GDPR. Importantly, the EU deliberately chose to formulate the new legislation in the form of a regulation, rather than a directive. The difference: unlike an EU directive, which always requires transposition into national law, the regulation has general application and is thus binding and directly applicable in every Member State. In the UK, prior to Brexit, GDPR was transposed into law through the Data Protection Act 2018. Following Brexit, to achieve an adequcy status with the EU, additional law has been created, known as the UK GDPR. Other than a small number of changes, for example to reflect that the UK is no longer a Member State, this is almost identical to the GDPR.
Since 25 May 2018, the GDPR has been the official data protection law in all EU states and takes precedence over national legislation. This means: all companies and public institutions that process personal data must comply with the new EU rules on data protection and implement corresponding measures. Thus, for the first time, a Europe-wide harmonisation of data protection law has been achieved.
The most important legal principles of the GDPR:
- Prohibition with reservation of permission: Processing of personal data is generally prohibited - unless permission has been granted.
- Purpose limitation: Data may only be collected and processed for a specific purpose. This purpose must be clearly communicated and the use of the data documented. Example: If a company collects personal data to fulfil an order, it may not use this data later for advertising purposes.
- Storage limitation: The company responsible must ensure that the identification of data subjects is only possible for the duration of the purpose for which the data was processed.
- Accuracy: Personal data must always be factually accurate and, where applicable, kept up to date. Inaccurate data must be deleted or corrected without delay.
- Data minimisation: Companies must ensure that they only collect as much data as is necessary for the stated purpose. Data collection for stock purposes is inadmissible.
- Transparency: Consumers must be able to understand the processing of their personal data at any time. This requires comprehensibly formulated data protection declarations and data protection permissions. In addition, companies must be able to provide information at any time about what data they have and how they use it.
- Confidentiality: Companies must ensure the confidentiality of personal data through appropriate technical and organisational measures (TOM). Important: The TOM must be appropriate to the risk and the type of data stored.
Where do we stand after three years of the GDPR?
Three years after entry into force of the GDPR, there are still many companies and institutions across Europe that show a significant lack of compliance with data protection. For example, a representative survey of more than 500 companies in Germany by the digital association Bitkom revealed that only 20 percent of companies with 20 or more employees have fully implemented the GDPR. Even more astonishing: according to the Bitkom survey, six percent of companies in Germany had only just begun implementation in autumn 2020.
Responsible supervisory authorities have been performing their duties strongly in relation to investigations of violations against the regulation. Whilst the number of fines imposed may have temporarily decreased due to Coronavirus, there has been a clear increase in activity over the past three years. Fines are most frequently imposed for the following reasons:
- Violations of the disclosure and information obligations (Art. 12 to 15 GDPR).
- Lack of authorisation and therefore unlawful processing of personal data (Art. 5 and 6 DSGVO)
- Missing or insufficient technical and organisational measures for the protection of personal data (Art. 32 GDPR).
In our Whitepaper "Data privacy mistakes: The 6 most common mistakes business make" we explore the six most common UK GDPR mistakes - and show you how to avoid them, as well as breaches and fines.
Was 25 May 2018 a good day for data protection?
Yes, it was. Since the GDPR officially entered into force on 25 May 2018, a fundamental change in awareness has taken place in Europe and the UK. Public awareness and citizens' knowledge of their fundamental right to informational self-determination has grown noticeably. According to a Eurobarometer survey of 27,000 Europeans, at least 80 percent of respondents have heard of the GDPR. 73 percent of people are even aware of at least one of the data protection rights to which they are entitled under the General Data Protection Regulation. For example, the right to delete their own data.
Such high awareness rates illustrate the importance that data protection enjoys in business and society today. Companies and public institutions that behave in an exemplary manner, and do everything possible to protect the personal data of their customers, partners and employees, through appropriate technical and organisational measures enjoy an advantage in terms of trust and thus tangible competitive advantages. Despite the criticism that exists, companies also recognise these benefits. The Cisco Privacy Benchmark Study 2021 highlighted that whilst lower than 2019, the average organisation was still getting a return of investment of 1.9x in 2020.
What is the significance of the GDPR outside Europe?
According to a Statista survey in September 2020, seven out of ten companies even think that the GDPR sets global standards for the handling of personal data. Since the General Data Protection Regulation set the legal framework in Europe, it has triggered a lively international discourse on data protection rights. In the Western world, it is largely undisputed that the right to privacy is at risk in the digital age and therefore requires special attention. What form this should take and what legal framework conditions should be derived from it, however, is a matter of controversial discussion internationally.
The GDPR has an impact far beyond the borders of Europe, due to both its content and, in part, to purely economic constraints. For example, the GDPR has such a strong impact in terms of technical and data protection law that it is considered exemplary by many internationally, for example the legislature of the US state of California. In 2020, the state legislature enacted the California Consumer Privacy Act, (CCPA), a new data protection law in the home of Silicon Valley and the US tech giants, which is strongly reminiscent of the GDPR.
The transfer of data in third-party-countries
Added to this are economic constraints imposed by the EU legislation itself. Transfers of personal data are restricted, but can still be implemented compliantly in various ways. This includes, for example, an adequacy decision by the EU Commission for a third country in accordance with Art. 45 GDPR, where no further measures have to be taken to enable the transfer, e.g. data transfer to Switzerland. If such a decision does not exist, a data transfer can still take place. The lawfulness of this transfer is based on appropriate guarantees according to Art. 46 of the GDPR. In addition, further exceptions, such as the explicit consent of the data subject, can be found in Art. 49 GDPR. For international companies operating in Europe but storing personal data on servers outside the EU, this can become a challenge. The consequences: The internet offerings of some US services, including for example some large US daily newspapers, are now only accessible to a limited extent for users with European IP addresses. The providers prefer to block access from Europe rather than comply with the requirements of the GDPR.
What will happen to data protection in the future?
Data exchange with third countries is one of several areas where there are still many open questions. With Brexit, however, there are many unanswered questions in this area. Currently, the differences between the EU and the UK in terms of data protection are very small. An adequacy decision is not expected to be opposed by EU Member States. However, it is questionable whether this will remain the case in the future. The UK will now develop its data protection laws separately from Europe. Whether Brussels will then still certify the adequacy of the level of data protection in the future remains open.
One thing is certain: data protection will need to continue to evolve in the future as digitalisation progresses. This makes it all the more important for companies and public institutions to keep up to date and continuously adapt their own processes, structures and technical and organisational measures (TOM) to the requirements. This is the reality we all face.
Stay ahead of your competition with our monthly newsletter! Receive the latest compliance-related business advice, tips, news and events - directly delivered to your inbox every month!