Today (May 25, 2023) marks the fifth anniversary of the entry into force of the General Data Protection Regulation (GDPR). When it was enacted in 2016 (and entered into force two years later), GDPR revolutionized the digital landscape, ushering in a new era of data privacy and security for the European Union. While it aimed to harmonize data protection laws across EU member states, it also had profound global repercussions, influencing how businesses worldwide handle personal data.
More than that, at the international level GDPR has become somewhat of the gold standard for third countries adopting their own privacy legislation, meaning that its principles and concepts (themselves firmly grounded in Fair Information Principles like the OECD Guidelines) are mirrored in privacy laws across the globe.
Finally, also five year down the road, GDPR remains very much a moving target for academics and practitioners alike. Not only does it require constant reinterpretation in relation to the fast evolving legal landscape on digitalisation (the privacy aspects of generative AI being but a recent, trendy example), but also its core concepts (what are personal data? Who is the data controller?) are often re-evaluated and tweaked by jurisprudence, both at the level of supervisory authorities and the courts.
So it is only logical that today our (professional) social media feeds fill with reviews, analyses and opinions of privacy professionals and stakeholders alike looking back and forward on GDPR compliance.
For my part, I would like to take a moment to focus on five key challenges privacy practitioners continue to face on a day to day basis: one for each year of GDPR implementation. There are of course (many) more, so do revisit this page at future GDPR anniversaries ;-)
1. Understanding and adapting to regulatory changes: Over the past five years, GDPR has undergone various updates and interpretations by different regulatory bodies. Keeping track of these changes can be a daunting task, especially for small businesses without dedicated legal or compliance teams. Regular training, robust compliance management systems, and cooperation with regulatory bodies are crucial in meeting this challenge.
2. Managing consent: One of the central tenets of GDPR remains obtaining (in many use case scenario's) specific and informed consent for data collection and processing. However, the practicalities of managing and demonstrating consent can be complex, particularly given the growing number of digital touchpoints. Also the interaction between GDPR and the e-Privacy Directive (the so-called Cookies Law) remains less than evident as we (still) await the advent of the new e-Privacy Regulation. Many businesses struggle with providing clear consent options without disrupting user experience. Innovative tech solutions that streamline the consent process while ensuring full transparency can help overcome this hurdle.
3. Data mapping and inventory: GDPR requires businesses to maintain detailed records of their data processing activities. However, due to the vast and complex nature of data systems in many organizations, achieving this can be a significant challenge. Adopting automated data mapping and inventory tools can streamline this process, but it requires a significant initial investment.
4. Dealing with international data transfers: GDPR has stringent rules for transferring personal data outside the EU, a process complicated further by rulings like the invalidation of the EU-US Privacy Shield by #Schrems1 and the raising of the bar to almost unfeasible hights for notably US bound transfers by #Schrems2 and the ensuing jurisprudence. Note in particular the growing Google Analytics case law and that certain Meta decision of earlier this week.
5. Meeting individuals' rights requests: GDPR grants individuals several rights concerning their personal data, including access, rectification, and deletion. To these are added data portability and the increasing importance (in particular when AI gets involved) of the rights related to automated decision making. While fulfilling these rights is a fundamental aspect of GDPR, the logistics can be complex and resource-intensive. To meet this challenge, organizations need robust, scalable processes and technologies to effectively and efficiently handle rights requests.
In summary, GDPR has had a transformative effect on data privacy worldwide. Businesses have become more conscious of their data handling practices, and individuals have gained unprecedented control over their personal data. But the privacy rose is not without thorns and the principle of accountability driven home by GDPR has created headaches for many a board room as well as job security for a legion of privacy professionals.
The many challenges should however not prevent us from remembering, especially today, the spirit of GDPR – respecting and protecting personal data – remains at the forefront of our digital future. The road ahead may be demanding, but by learning, adapting, and investing in privacy, we are creating a more secure and trusted digital environment for all.
Like the Stoic philosopher and Roman Emperor Marcus Aurelius famously said:
“The impediment to action advances action. What stands in the way becomes the way.”