José A. Rodríguez Ruiz, Global DPO at Cornerstone OnDemand
The one-year anniversary of GDPR is here and there is currently a lot of talk about GDPR’s first ‘birthday’. Although the legislation only came into effect last year, data protection laws have been around since 1970 — that’s almost 50 years.
The first ever national law dealing with privacy and data protection was the German Bundesdatenschutzgesetz in Germany, passed by the federal state of Hessen in 1970, and was the first data protection act that governed the exposure of personal data. The first German federal data act came into force in January 1978. The UK followed shortly after with the Data Protection Act 1984. This was then taken further with the Data Protection Act 1998 which implemented the EU Data Protection Directive of 1995.
One year on
Since then the GDPR, drafted to ensure EU citizens had more control over their personal data in an increasingly digital world, has been implemented across Europe. But the GDPR is not something new. For example, within the six data processing principles of GDPR, transparency is the only new principle. Though there is a new obligation, accountability, which outlines that the data controller is responsible for, and must be able to demonstrate, compliance with the other data protection principles. Businesses now need to provide full transparency on where employee data is stored, how it is protected and how it is processed.
The primary changes that we see with GDPR are the amount fines. While in the UK there haven’t been any fines to date (is still too early), several enforcement letters have been delivered to companies under the ‘new’ Data Protection Act, and the industry is holding its breath waiting for the first fines to arrive.
The impact of GDPR
Although we haven’t seen any fines in the UK yet, the GDPR has made everyone more aware of data protection and its importance, and it has certainly sparked a need for clear data regulations and transparency. It’s raised awareness of the importance of protecting people’s data and companies are now considering how employee data flows around the organisation.
Employee data protection is not new, however GDPR takes it one step further and pushes hard for compliance, threatening high penalties if companies don’t observe the new regulation. This brings balance, giving employees and organisations, like trade unions, a strong leverage in case organisations do not respect these rights.
Scandals such as the Facebook/Cambridge Analytica crisis or the Marriott hotel data leak have also made us reflect on the need to protect data adequately because, ultimately, data protection is not about protecting the data, but about protecting the people, the primary goal of the GDPR and the Data Protection Act 2018.
Even a year after GDPR, businesses are still facing challenges implementing the regulation. Many organisations, particularly in advertising and publishing, are still struggling with the ‘opt-in’, ‘opt-out’ process. Often, the options are confusing and end up catching people out. Furthermore, some websites are still facing challenges with GDPR compliance. For example, the US’ eighth-largest newspaper, the Chicago Tribune, is still inaccessible to people in the EU. It is clear that we are all still learning how to apply GDPR for specific cases.
GDPR has already become a benchmark for many regions and organisations. Japan, Brazil, India and California in the US have all passed new privacy laws, demonstrating the significance of the ‘fundamental right to privacy’ and the need for companies to be transparent in how they use personal information. Similarly, organisations around the world are implementing GDPR-like principles and processes even if not required by law.
And even if most organisations have already made the basic changes needed to comply with GDPR, data privacy will continue to be a huge focus for organisations across Europe – and beyond! Data Protection is a process and a mindset, not a point-in-time activity.
As we move forward we will see a stronger focus on compliance and a natural selection process between providers based on their levels of GDPR compliance: in this modern, cloud-based world, the compliance of vendors is equally as important as a company’s own organisational compliance procedures.
GDPR is not a brand-new legislation, in fact its premise is over 50 years old, but it is complex and organisations, even one year on, are still trying to wrap their heads around how to fully comply. Fortunately, by focusing on creating more efficient data handling processes and being transparent about the use of people’s personal data, there will be less risks of fines and penalties plus, employees will be safe in the knowledge that their data is protected and secure.