An Overview of Five Years of GDPR

This month marks the fifth anniversary of the European Union’s General Data Protection Regulation (GDPR). The European Union adopted this legislation in 2016. It was officially enforced on 25th May 2018 to govern the utilization of data companies in European and non-European regions that gather, store, and process data of European citizens.

According to a report by DLA Piper titled “GDPR fines and data breach survey: January 2021,” approximately USD 332.4 million of fines have been imposed for multiple infringements through data protection laws. Most European citizens consider GDPR enforcement a historical moment that would protect their privacy rights.

“The EU’s GDPR has had a tremendous impact on how organizations around the globe handle personal user data since the regulation was enacted five years ago. The threat of substantial fines including the almost €3 billion levied since the regulation went into effect has forced companies to take privacy and security more seriously. And the impact is not just contained within Europe; GDPR has inspired over 100 other regional privacy standards, including those in many of the individual US states,” says Michael Covington, VP of Strategy at Jamf.

Even though GDPR is popularly known as the European Union’s biggest accomplishment, a few industry veterans were skeptical about its enforcement. Because of the ambiguity of the legislation, various businesses were confused about the compliance policies, despite being enforced, since a few organizations are still skeptical about the law’s negative impacts on business scalability and innovation.

GDPR compliance laws are an attempt by regulators to regulate data usage. Since the enforcement of GDPR, it has become a ‘gold standard’ for protecting users’ privacy because of its stringent nature. Overstating the consequences and impact in the European region and other countries can be challenging.

As GDPR is celebrating its fifth anniversary this year, let’s look at its five years journey so far.

Also Read: Reasons to Use ERP Systems in Businesses

A GDPR Overview

To ensure GDPR compliance, organizations should adhere to multiple rules, such as taking the user’s consent, including privacy in design, and notifying the user in case of a breach. The data legislation includes multiple user rights regarding how organizations can access and control data. Laws in this data privacy legislation include the right to be forgotten and data portability.

As per the GDPR legislation, every member state needs to assign a Data Protection Authority (DPA) responsible for monitoring and enforcing the law. Even after five years, there are multiple challenges to enforcing the laws. But implementing GDPR has helped to improve security practices.

• The fundaments of GDPR legislation are established to secure the user’s data. In this context, any Personal Identifiable Information (PII) of the users can be utilized to directly or indirectly identify a user. PII includes name, location information, IP addresses, gender, email address, and biometric data.
• Processing of personal data includes gathering, storing, sharing, structuring, evaluating, and deleting.
• The user whose information is being processed is a data subject. These users are the clients of a product or service or visitors to the website. It is mandatory by GDPR to give consent before any of their PII is gathered or processed. Under this data legislation, the data subject has the right to revoke the consent at any time.
• Organizations, individuals, or an authority that set the specifics of data processing are known as data controllers. While determining the specifics of data processing, a data controller needs to establish how they collect data, which the data subjects would be, and how they will use their PII. The data controller also controls how they can achieve it. Most often, businesses are data controllers; for instance, a retail shop that wants to offer target ads to their potential customers. The retail chain needs to keep transparency with the user about how they collect, store and use data. Data controllers can work independently or have third parties onboard as data processors.
• Data processors are third-party that execute the processing based on the inputs given by the data controllers. Software-as-a-Service (SaaS) based vendors like Customer Relationship Management (CRM) software and Business Process Management (BPM) software are a few examples of data processors.
• If Data controllers and processors do not comply with the GDPR standards, they are liable to pay fines.

GDPR restricts gathering data about ethnicity, caste, sexuality, political opinions, and others under prevailing circumstances. A few non-profit organizations and public authorities have exceptions for gathering such information for archival or record-keeping purposes.

Some exceptions to this rule are n collecting information for archiving or recording.

Who has to comply with the GDPR?

GPDR applies to all the people staying in the European Union member counties. All organizations conducting their businesses in the EU must comply with GDPR. Additionally, even if the organization is not based in the EU but has, a client base in EU has to comply with the sets of laws imposed by the regulatory authorities.

For instance, if an enterprise offers products or services to clients in Spain but operates out of America has to comply with GDPR.

Also Read: Key Developments for Organizations 

GDPR Fines / Penalties                                   

The fines imposed by the regulatory body are effective, proportionate, and dissuasive for every individual case. The authorities have a standard catalog of criteria before deciding whether and what penalty level needs to be imposed.

For severe violations that fall under Art. 83(5) of GDPR, the fine framework imposed can be approximately 20 million euros, or up to 4 % of their entire global turnover of the previous fiscal year, whichever comes higher.

For less severe violations that fall under Art. 83(4) of the GDPR can impose fines of approximately 10 million euros, or up to 2% of its total turnover worldwide of the previous fiscal year, whichever is higher. The Enforcement Tracker can offer a holistic view of all the reported fines and penalties that the data protection authorities within the European Union have levied so far.

Ongoing Challenges Of implementing GDPR

The consistency mechanism of GDPR needs a supervisory authority in the Member country where the organization has established its main headquarters to take the lead on all privacy-related concerns. Not all member states have a supervisory authority to take a lead on all privacy-related issues.

Another challenge for GDPR regulators is the difference between their resources and the organizations. The regulatory body has restricted resources, while large enterprises have more revenue and better resources. These big organizations are exploring identifying the system loopholes in the legal proceeding and making appeals to minimize their fines.

Moving ahead with GDPR

With tremendous enforcement challenges to enforcing GDPR, the regulatory bodies are evolving their laws to strengthen the users’ right to privacy and penalize the organizations that do not comply with the laws. Other countries must also establish and enforce similar laws to ensure better compliance.

The enforcement of GDPR improves an organization’s security practices and strengthens users’ right to privacy. EU’s regulatory bodies are still struggling with regional inconsistencies. They need more resources to meet the increasing number of requests.

Check Out The New Enterprisetalk Podcast. For more such updates follow us on Google News Enterprisetalk News.