This article was written by Eloise Tobler of Wisetek. Eloise specializes in advising businesses in avoiding cyber crime through an effective data destruction policy.
On a global scale, society is increasingly becoming more privacy-conscious, especially when it comes to the personal information shared with businesses. High-profile data breaches and scandals involving the misuse of personal data can be attributed to this growing mistrust. The European Union enacted the GDPR, a far-reaching law offering its citizens increased protection and agency regarding how their data can be collected and used by businesses. With the law coming into effect in 2018, it is important to review any changes and developments since then, and how they impact businesses in 2021.
The GDPR: A brief introduction
GDPR stands for General Data Protection Regulation. It governs how businesses interact with the data of citizens of the European Union nations and the larger European economic bloc. It applies regardless of where a business is registered/based or the location where it stores/processes data. As long as a business interacts with data belonging to European citizens, it has to comply with the GDPR.
The GDPR is not just concerned with protecting data, it also empowers Europeans to be aware of their data being collected, to be informed of how this data will be used, and to consent to the whole data aggregation, analysis, and use process. The law requires:
- Businesses to be transparent regarding data collection and processing.
- Users’ consent, and for users to be able to revoke previously given consent regarding the collection and processing of their data.
- Businesses to notify users of any data breaches within 72 hours once the business is aware of the breach.
- Businesses to ensure that adequate cyber security protocols are in place for the safe storage, transfer, and processing of user data.
- Businesses to destroy user data when it is no longer in use.
Important changes and developments, GDPR
The GDPR was considered to be a seminal development in the global privacy landscape, when it was signed into law in April of 2018. It was not the first comprehensive data protection law, but it was the most far-reaching, governing the entirety of the EU region; one of the most lucrative global markets. As such, it impacted almost every business and corporation with a global footprint. Since, then, important changes and developments have occurred, the most notable of which include:
Fines to large corporations
The GDPR was drafted with the knowledge that some of the multinationals that it was looking to regulate had deep pockets. This made them almost immune to the impact of most fines. The GDPR’s fine system was not based on absolute values, but on the global income of the offender.
This has led to some huge fines for some of the largest corporations in the world. In the UK, a number of airline companies were fined up to 20 million euros for failing to inform their users of data breaches that compromised their information. In France, fines of up to 50 million euros were given to companies for failing to inform their users of how their data was being processed. In Germany, a global fashion brand was fined 35 million euros for illegal employee surveillance. GDPR enforcement has not been shy to put large companies to task over their improper handling of user data.
Cookie walls considered illegal
The EDPB (European Data Protection Board) is charged with enforcing GDPR compliance. In 2020, the body ruled that cookie walls were illegal. Cookie walls block access to a web page unless the user agrees to allow ALL website cookies. Cookie walls were determined to be a coercive means to gain user consent, as they offer no alternative to accepting all cookies to gain access to a website.
Brexit and UK-GDPR
With the UK officially leaving the EU, it is no longer governed by the GDPR framework. As part of the separation agreement, the UK passed its own law – the UK GDPR – which is more or less identical to the GDPR but with some local provisions. This ensured that the UK shared the same privacy and data protection standards with the EU, allowing the free flow of information between the two jurisdictions.
What is the implication for businesses in 2021?
The zeal with which the GDPR has been enforced can be seen from the fines already handed out to large corporations. Businesses need to take note of this, as it means that they may face similar punitive measures if they are not in compliance. A law is only as effective as its enforcement, and the EDPB seems intent on enforcing compliance.
Businesses operating within the EU in 2021 also have to ensure that their web design does not include cookie walls and other ‘coercive’ strategies for getting users’ consent to data collection. They have to be transparent regarding their data collection and gain freely given consent without restricting access to content.
The UK’s move to match the EU GDPR standards could have far-reaching consequences for global businesses in 2021 and beyond. Countries that match these standards are considered to have adequate data protection safeguards and granted ‘adequacy recognition,’ which allows the free movement of data between them and the EU. Countries with adequacy status include Japan, New Zealand, Uruguay, Israel, and Argentina. Others, such as South Korea, are still in the evaluation process. In the US, California has already put in place similar laws, with other states considering the same. The GDPR is serving as a benchmark that global markets are emulating. And beyond 2021, businesses should expect similar laws to pop up all over the world.
Businesses operating within the EU have to be serious regarding GDPR compliance. This is in light of the large fines handed out to giant corporations due to non-compliance. Businesses also have to keep track of developments such as the ban on cookie walls. With multiple countries adopting similar data protection laws, businesses should prepare for more markets having GDPR-esque laws in the coming years.