Do you remember where you were on 25th May 2018? Perhaps you were enjoying a Friday night drink with friends. Perhaps you were with family, relaxing after a busy week at work.
I was actually having a GDPR Birthday party with friends and colleagues because 25th May 2018 was a landmark day for the world of Data Protection (yes, seriously, we had a party!).
But the funny thing about the effective date of the then-new General Data Protection Regulation (GDPR) was that many saw it as a date to dread. During the year prior to it officially replacing the Data Protection Act 1998, I had almost weekly conversations with business owners and individuals who were in a panic about what they perceived as this onerous new regulation.
The main cause of their consternation was the hefty fines that they would receive if they accidentally or intentionally misused our data. This misuse is something I will return to shortly, but first, let’s examine why people initially ran in fear of the regulation, and it can be summed up in three words: snake oil sales.
Snake Oil Sales
Although GDPR hit the mainstream media in 2016, people like me have been talking about the regulation since 2012. When it started to gain momentum in the press and on social media, experts proclaimed that it signalled the end of the free movement of data. They stated emphatically that if businesses got it even slightly wrong, they’d be subject to a fine of 20 Million Euros, or 4% of global turnover.
Of course, those people proclaiming this were selling products and services that could “make you GDPR compliant.”. (NOTE: There is no such thing.) These people were selling fake products, just as others did in the American “Wild West”’, when products marketed as a curative liniment derived from snakes, known as snake oil, were sold as the miracle cure for every illness.
Many spoke of how onerous the regulation was and how they had to use their services to help them navigate the complex legal framework.
Not onerous – but “Owner Us”!
Don’t get me wrong, there is some complexity to GDPR, and it needs to be fully read and understood to make sense of it. It is, after all, dealing with how organisations of all sizes should control and process our data. It is as relevant to large organizations, such as the National Health Service (NHS), as it is to small payroll and accountancy businesses. It needs to be flexible to cope with highly regulated industries operating internationally and for unregulated businesses, such as that hairdressing salon that you use on a Saturday afternoon.
GDPR is not onerous. It’s our data, and it puts the power back in our hands - the Owner is Us!
GDPR is a force for good
If you’re still not convinced that GDPR is a good thing, then perhaps you should consider some of the positive impacts that the regulation has had over the years.
1. Increased transparency and control for individuals.
GDPR gives individuals more control over their personal data, including the right to access, correct, delete, and object to the processing of their data. It also requires organisations to be more transparent about how they collect and use personal data. Organisations began to update their privacy notices to inform their clients about how data would be used. In turn, the general public began to understand what data protection means to them personally.
2. Improved data security.
GDPR finally got the attention of corporate Boards of Directors, and they began to see that they couldn’t just use data any way they wanted. It requires organisations to implement strong data security measures to protect personal data from unauthorized access, use, disclosure, or destruction. This has led to significant improvements in data security practices.
3. Increased accountability for organisations.
GDPR introduces a number of new requirements for organisations, including the appointment of a Data Protection Officer (DPO) in certain cases, the implementation of Data Protection Impact Assessments (DPIAs), and the ability to demonstrate compliance with GDPR. This has made organisations more accountable for their data protection practices.
4. Enhanced cross-border data flows.
GDPR provides for a number of mechanisms that facilitate cross-border data flows, such as adequacy decisions and standard contractual clauses. This has made it easier for organisations to transfer personal data outside of the European Union.
5. Increased innovation.
GDPR has led to increased innovation in the data protection space as organisations seek to find new ways to comply with the law while also maintaining their business operations. This has led to the development of new technologies and services that help organisations to manage their personal data more effectively.
There is still work to do
It may come as no surprise to you, but I’m a bit of a GDPR fan. Not just a geek. Not just a nerd. But a lifelong fan of GDPR. Yes, GDPR has its flaws, but it is the gold standard when it comes to data protection regulations, and other countries know it.
In the USA, they are looking to GDPR as a model for their Data Protection laws, and on 11th August 2023, the Data Protection Bill was passed in India, which, upon first reading, seems to lean heavily on GDPR.
However, there is still work to be done. Many organisations are still ignorant of the needs of GDPR, and the Snake oil salespeople are still in operation. There is also talk of the UK Government developing a diluted version of GDPR, which will give UK businesses more opportunity to monetize the data they hold, i.e., make money from the data they possess about you and your loved ones. Are you happy about that? I know I’m not).
There is still work to be done. But I am convinced that if people and organisations keep the following in mind, then the future will be a much more secure and happier one for us all:
- It is OUR data – We have a responsibility to know who has it and how it’s being used.
- GDPR isn’t confusing if you read it (I’m amazed how many people haven’t)
- GDPR simply means “Giving Data Proper Respect”. Organisations must remember this and keep it as a guiding principle.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire.