Businessman using mobile phone with text GDPR and icon of people and lock

Evolution of the GDPR: What’s Next?

In recent years, data privacy has moved to the forefront of consumers’ minds as the prevalence of data breaches and leaks have underscored the value of personal data. Additionally, a Pew Research Center report found that 79% of consumers are concerned with how organizations are using the data they collect about them.

In response governments across the globe implemented compliance regulations like the General Data Protection Regulation (GDPR) to hold companies accountable and protect personal data. Enacted on May 25, 2018, the GDPR is the most far reaching compliance regulation currently in existence, designed to give individuals within the European Union more control over how their personal information is used.

With fines and breach notifications seeing double digit growth year after year, what do organizations need to know as the GDPR approaches its third anniversary?

What’s considered personal data under the GDPR?

While the GDPR has proven to be a landmark compliance initiative, there’s still some confusion about what is classified as general data, as opposed to sensitive personal data.

Under the GDPR, personal data is defined as any data that can be used to clearly identify an individual, while sensitive data refers to data that can be used to discriminate against an individual such as race and religion, or their political views. Companies with a presence or customers in the EU must have a lawful purpose to store and process personal data, giving EU citizens a number of rights that ensure their data is held securely.

Common examples of what constitutes as personal data include, National Identity Card numbers, mailing addresses, email addresses and phone numbers. Additionally, the scope has grown considerably and now includes IP addresses, social media data and digital images showing an individual, as well as geolocation, behavioural and biometric data, which is now all considered to be Personal Identifiable Information (PII).

However, challenges arise as more and more data is generated and people continue to conduct their life online from the comfort of their home and on personal devices. Organizations must maintain a high level of personal data awareness as the applicability of the GDPR encapsulates more types of data that are deemed personal or sensitive, while other global privacy laws also continue to evolve and become increasingly stronger. Something that California has experienced firsthand following the passage of the California Privacy Right Act in November 2020, the state’s second compliance regulation in two years, just months after its first regulation, the California Consumer Privacy Act (CCPA) took effect in July 2020. While a major step for the state, the original CCPA had been viewed as not strong enough to protect and enforce data privacy rights by data watchdogs.

Avoiding non-compliance and mitigating security risks

GDPR compliance has often been labeled as difficult to achieve and maintain, with businesses claiming that the law’s requirements are too complex to implement. This view could be considered a consequence of the previously low levels of regulations limiting how businesses may collect and use the data of individuals.

Unfortunately, data privacy and security challenges are only going to rise in complexity as the nuances of modern business practices, data creation and consumer trends cause personal data to continue to proliferate across global platforms and networks.

Unlike data security standards like the PCI DSS for the payment card industry, the security requirements under the GDPR are somewhat ambiguous, leaving compliance and security up to interpretation for individual organizations. However, one of the most abundantly clear guideline requirements is the “pseudonymization and encryption of personal data.”

Hopefully, most organizations are already using modern encryption to protect the personal data stored within their business, however, there must also be policies governing how and when to use encryption, as well as routine training for employees. The United Kingdom’s Information Commissioner’s Office also has an excellent GDPR encryption checklist that can help organizations get started.

In the event of a breach or the unlawful storage or sharing of data, organizations put themselves at risk of major fines. Look no further than the recent announcement from the Norwegian Data Protection Authority (DPA) on its intentions to impose a fine of $11.7 million on popular dating app Grindr for illegally disclosing private details about its users to advertising companies. The $11.7 million price tag equates to roughly 10% of its revenue according to the DPA.

In the face of costly fines, some organizations have turned to technology partners to enable them to gain greater visibility and control into how data is handled across their organization. An entire global market has evolved from the challenges businesses face meeting privacy and security obligations, leading to a broad variety of solutions being available both in the cloud and on-premise. Choosing the right solution will ultimately depend on an organization’s unique situation, industry and use cases that determine what compliance regulations it needs to adhere to.

How the GDPR stacks up against other compliance regulations

As the most well-known compliance regulation currently in existence with global applicability, the GDPR has influenced multiple other countries and jurisdictions to develop their own privacy regulation, most notably the CCPA in California which is sometimes referred to as the “American GDPR.” And while there are some key similarities like the focus on transparency, there are differences worth noting, particularly pertaining to the rights of consumers.

For starters, when it comes to controls for individuals, the GDPR provides consumers with the right to consent to opt in to the collection of their data before it is actually collected. This requirement may increase in difficulty for larger tech and social media companies based on a recent op-ed by the President of the European Commission, however it’s too early to make a firm conclusion on what the true impact will be. Meanwhile, the CCPA allows businesses to collect consumer information, without consent, and instead shifts the decision to California citizens who must opt-out of data collection rather than opt-in. This is a material difference, and it’s clear that the GDPR is far more proactive towards the interests of the individual by requiring organizations to receive consumer consent.

Another regulation aimed at protecting the privacy rights of individuals is Australia’s Privacy Act, formally known as, The Privacy Act 1988. Established in 1988, the law has developed alongside the evolution of the internet and has undergone over 80 revisions since its inception. A case study in how compliance regulations can evolve alongside data, the most notable amendment was introduced in 2014 as a set of Australian Privacy Principles (APPs) that must be followed when working with personally identifiable information (PII). Much like the GDPR and CCPA, the APPs were designed to give individuals power over how their personal data is used.

There are also some differences between the GDPR and The Privacy Act ranging from minor discrepancies in terminology (personal data vs. personal information), all the way to significant differences. For instance, The Privacy Act allows for “implied consent” which means when a customer does one thing, it’s implied that they have consented to their personal information being collected, used, or stored given they have voluntarily supplied the information. There are of course a number of other differences between the two laws, as well as hundreds of other regulations have been established across the world, but the GDPR remains the most recognised and most impactful privacy regulation.

Data privacy is only going to increase in importance. Recent regulations and attempts to mitigate how much data organizations can collect clearly illustrates that it is their most valuable asset. It also signifies that compliance regulations have gained substantial momentum and focus to address the continued growth, prevalence and creation of data in business settings, and with 128 of 194 countries having implemented modern laws to protect personal information across the globe, it’s clear governments intend to prioritize the protection of personal data.