Where is GDPR Today?

Now that GDPR is over three years old, I thought it may be interesting to reflect on recent news.

GDPR definition: The General Data Protection Regulation (GDPR) is the?toughest privacy and security law in the world. Though it was drafted and passed by the?European Union (EU), it imposes obligations onto organizations anywhere, so long as they target or collect data related to people in the EU

The UK GDPR sets out seven key principles:

• Lawfulness, fairness and transparency.
• Purpose limitation.
• Data minimisation.
• Accuracy.
• Storage limitation.
• Integrity and confidentiality (security)
• Accountability.

?

As of September 13th, 2021 GDPR Fines levied:

Organizations in breach of the GDPR can be fined?up to 4 percent of annual turnover, or up to €20 million, whichever is largest. Since coming into force, a total of 839 fines have been issued.

Many of the high-profile fines have been levied against some of the world’s largest tech firms, telecommunication, hospitality, and a retailer ($6M to $877M) companies.

It appears that most enforcement activities are focused on cookie consent, sensitive data, overly aggressive marketing, lax security of safeguards.

Safe Harbour Agreements was one of the precursors of GDPR.

According to Experian:

The Safe Harbour Agreement was a set of principles that governed the exchange of data between the United States of America and the European Union (and Switzerland). It was ruled invalid by the European Court of Justice on 6 October 2015.

What was the purpose of the Safe Harbour Agreement?

The Safe Harbour Agreement was designed to ensure data transfers between the EU and the US complied with the European Data Directive 1995. Specifically, it revolved around 7 key principles:

1. Notice - The data subject should be informed that their data has been collected, how it will be used and how to contact the data holder for any queries.
2. Choice - The data subject should be able to opt out as well as forward the relevant data to another third party.
3. Onward Transfer - The transfer of any data can only happen with a third party that meets the required data protection principles.
4. Security - A reasonable effort must be made to keep the data safe from loss/theft.
5. Data Integrity - The data must be relevant and reliable for its original purpose of collection.
6. Access - The data subject should be able to access, correct and delete any information held about them.
7. Enforcement - There must be effective means of enforcing these rules.

Why was the Safe Harbour Agreement ruled invalid?

After a legal case between Austrian privacy campaigner Max Schrems, it was decided that US data protection laws were inadequate, and it was necessary to rule the agreement invalid.

I am not aware of any lawsuits that are in process to invalidate GDPR. The intent of the Regulation is for an individuals protection.

GDPR compliance requires a team effort (legal, operations and technology) all working together. As you review potential new partners it is important to ask whether they are GDPR compliant?