GDPR At 2: Why Was The GDPR Actually A Big Thing?

In April 2016, when the EU General Data Protection Regulation (GDPR) was adopted and it was announced that the regulation would become effective as of May 25, 2018, this was a big thing because:

• GDPR is a regulation. The first and foremost reason was the fact that GDPR is regulation while the previous data protection legislation was a directive. But what does this mean? In the EU terminology for legislations, a directive is a goal that member states must achieve by devising their own local laws. This means member states have a lot of flexibility. On the other hand, a regulation is a binding act that must be applied across EU member states in its entirety. This means member states have limited flexibility and regulation is a law that is effective in all member states. This meant the privacy laws across the EU member states would be very similar with some exceptions that were allowed in the GDPR.

A Directive in the EU terminology means a goal that member states must achieve by devising local laws to reach this goal.

On the other hand, a Regulation is a binding act that must be applied across the EU member states in its entirety.

• One-Stop-Shop. The one-stop-shop concept in the GDPR ensures that organizations and individuals can deal with cross-border (across member states) privacy-related issues from their home-base. This means the issues can now be addressed consistently across the EU member states. For the organizations that are active in multiple EU countries, the GDPR allowed working primarily with the supervisory authority based in the same Member State as the main establishment (of the organization) to achieve compliance. Normally, this would be the place where the EU Headquarters of the organization is located. This will be the ‘lead supervisory authority’ for all privacy-related matters for the organization. For individuals, the local supervisory authority of a Member State may either hand the case over to your lead supervisory authority or handle the case locally in co-operation with the lead supervisory authority,
• 72 hours Data Breach Notifications: The GDPR required that personal data breaches be notified to the supervisory authority within 72 hours of becoming aware of such breach. And, if necessary, the data subjects be notified as well. This was perceived as a very strict requirement (even though some countries like the Netherlands already had mandatory notification of data breaches).
• Accountability: For the first time, the principle of accountability was stated explicitly in the EU’s data protection legislation. This meant organization became solely responsible to ensure that the data processing is carried about in accordance with the other principles of the GDPR which includes lawfulness, fairness, and transparency; purpose limitation; data minimization; accuracy; storage limitation and integrity and confidentiality. The organization now needed to demonstrate compliance with the accountability principle to the data subjects and also the relevant authorities.
• Penalties and Fines: When we talk about why the GDPR was a big thing, how can we not talk about fines. I may not like to talk about fines, but the fact is that the provision for significant fines under GDPR created a lot of buzz around GDPR. If the organizations fail to comply with their obligations under the GDPR then the DPA can levy a fine up to 20 million Euros or 4% of the worldwide annual revenue of the organization in the prior fiscal year of whichever is higher. This provision meant there was a lot of scaremongering and attention in media on whether the law would kill small businesses.

In short, the GDPR was a law that aimed to harmonize the privacy compliance laws across EU Member states, modernize the practices as the world had changed from 1995 (the time previous privacy directive was adopted), and give the control back to citizens who own the data. And, it did so by

1. putting the onus of compliance with organizations,
2. providing the authorities with powers like never before
3. empowering individuals with rights and means to question organizations.

We can always debate whether the buzz was for real or not, but the fact that 62 new countries enacted data privacy laws in the last decade, privacy has become a big thing in past years.

Now, the question is: Why? Was all this necessary? So, let us delve into the need aspect.

Over the last few decades, the world has changed significantly. Some of these changes are:

• the proliferation of the internet means everything is now digital
• there are more mobile phones on this planet than there are humans
• knowingly or unknowingly we share a lot of data on the cloud

Essentially, we are becoming a digital entity. And, in this digital world, the new privacy laws needed to change to scale and magnitude of the change we have gone through in the last few decades. While the change we went through was incremental, the change in privacy laws has been in one shot. This means retroactive changes that the organizations are now having to consider or respect privacy. And, in my opinion, this is the reason for GDPR or privacy being a big thing in the last few years.

Now, I have shared my views on why it was a big thing. Please do share your likes, comments, and share with others who may find it helpful.

Note:

As I shared in my article "GDPR At 2: How To Look At Two Years Of The GDPR Regime?", this article is part of a series of articles on GDPR at 2. In the next article, I will explore what has worked well in the last two years of GDPR being in effect.

Punit Bhatia is a privacy consultant who is an author of multiple books on GDPR, privacy and sourcing speaker at global events, advisor on GDPR and privacy matters, and the host of The FIT4PRIVACY Podcast. Punit helps business and privacy leaders in identifying the strategic priorities for privacy compliance and managing the execution in a simple and structured manner. Punit is known to use simple business language while avoiding legal jargon. Punit is a certified Fellow in Information Privacy (FIP), CIPM, and CIPP-E.

Follow YouTube, Facebook, Twitter, Instagram, Podcast, iTunes, Spotify