GDPR: four years after
BY MICHAEL IRENE, PhD
On May 25th, 2018, the world was rocked by the European Union General Data Protection Regulation, easily tagged as GDPR. It took the world by storm and the authorities gave it teeth to ravage big businesses like Amazon, Facebook, Google, just to mention those three. Yet, four years later, the baby regulation like a toddler seems to be learning how to walk properly. The fine article penned by The Wire titled, ‘How GDPR Is Failing’ captures in a broad and introspective way the strengths and future weaknesses of the regulation.
There is no doubt that the regulation has influenced businesses on how to handle personal data and shines a light on the procedures and processes of organisations. Stakeholders in various business functions now have data privacy rolling in their tongues when considering launching a process or project that involves the use of personal data. That is a positive which one must at least recognise.
Another important thing is that data subjects feel empowered and understand that they can now demand that companies stop using their personal data in an unprofessional manner. We are seeing employees asking their employers to gain access to personal information they might hold about them and not feeling scared about punishment. There is no best approach to data subject access requests within companies, but one can see that there is an improvement and increasing respect in how companies treat data subjects.
Four years later, we are noticing that the regulation is playing catch-up with the neck-breaking speed of technology, especially with machine learning and artificial intelligence. I hazard a guess that the regulation would keep changing to match some of these technological advancements. Companies and their stakeholders need to keep abreast with these developments to prevent being caught unawares by these additions to the regulation.
The only weakness that one can point to is that the regulators, especially in Europe, and has rightly mentioned in the Wire article, are overwhelmed with complaints and handling them objectively becomes a big issue. The question of resources becomes a big issue which begs the question whether the data protection authorities can carry out investigations, probe company processes and come out with the right conclusions per case. The backlog for the Information Commissioner’s Office in the United Kingdom is unbelievably scary.
In other continents, for example, Asia, Africa and the Americas, there has been an increasing leaning-in into data protection. Countries are creating data privacy laws, and this is testament to the positive inspiration by the General Data Protection Regulation. The baby influenced a worldwide euphoria, and one must add that it has not failed yet.
However, one must question the implementation of this regulation in the next five years. The question is as the world begins to adopt these new improvements and advancement in technology, what should regulators be paying attention to? How can regulators help companies improve in their product launch and increase revenue without trampling the laws? The answer, I guess, is something that we can only hope to see in the future.