Case Studies

GDPR so far

by Mark Rowe

Two years in, the European Union-wide (including the UK) GDPR (General Data Protection Regulation) has met its objectives of strengthening the protection of the individual’s right to personal data protection and guaranteeing the free flow of personal data within the EU. That’s according to a report from the European Commission.

However, in the report’s words, a ‘truly common European data protection culture between data protection authorities is still an on-going process’. It said: “Data protection authorities have not yet made full use of the tools the GDPR provides, such as joint operations that could lead to joint investigations. At times, finding a common approach meant moving to the lowest common denominator.” The report calls for ‘a harmonised approach and a European common culture of data protection, and to foster a more efficient and harmonised handling of cross-border cases’.

Didier Reynders, Commissioner for Justice, said: “The GDPR has successfully met its objectives and has become a reference point across the world for countries that want to grant to their citizens a high level of protection. We can do better though, as today’s report shows. For example, we need more uniformity in the application of the rules across the Union: this is important for citizens and for businesses, especially SMEs. We need also to ensure that citizens can make full use of their rights. The Commission will monitor progress, in close cooperation with the European Data Protection Board and in its regular exchanges with Member States, so that the GDPR can deliver its full potential.”

The GDPR provides national data protection authorities with the right tools to enforce the rules. However, they need to be adequately supported with the necessary human, technical and financial resources, according to the report. Many EU states are doing this, with notable increases in budgetary and staff allocations. Overall, there has been a 42pc increase in staff and 49pc in budget for all national data protection authorities taken together in the EU between 2016 and 2019. However, there are still stark differences between states, and it’s ‘not yet satisfactory overall’, according to the report.

In an economy increasingly based on the processing of data, including personal data, the GDPR is an essential tool to ensure that individuals have better control over their personal data and that these data are processed for a legitimate purpose, in a lawful, fair and transparent way, the report said.

Background

Across the EU, including the UK despite the Brexit referendum, in since May 2018 the General Data Protection Regulation was made law across the EU including the UK, via the Data Protection Act 2018. It’s a single set of rules of EU law on the protection of individuals with regard to the processing of personal data and on the free movement of such data.

Comment

Barbara Lawler, Chief Privacy and Data Ethics Officer at the business intelligence and analytics firm Looker, said: “Despite the GDPR now being in full force, many are still clearly on the journey to compliance. Getting to a place where you’re confident there’s no data sprawl, everyone’s singing from the same data ‘song sheet’ and there’s one single source of truth has been – and still is – a significant challenge for many enterprises, especially those deploying new tech such as machine learning or artificial intelligence.

“However, this has also resulted in businesses housing huge volumes of data, some of which isn’t being used at all, and the rest of which is often duplicated across many locations. With that in mind, it has never been more important for organisations to review their data handling and security processes regularly, ensuring data collection and usage policies and processes put in place prior to the GDPR deadline are still being carried out properly.

“While still a business challenge, GDPR should be viewed as just another market condition, and shouldn’t be seen as a barrier to creating a data-driven culture across an organisation. Rather, it should be positioned as a regulation driving data empowerment, so long as there is tech in place to enable compliant practices.”

Related News

Newsletter

Subscribe to our weekly newsletter to stay on top of security news and events.

© 2024 Professional Security Magazine. All rights reserved.

Website by MSEC Marketing