GDPR is Two Years Old: A Retrospective

The European General Data Protection Regulation(GDPR) is two years old. The regulation has, thus far, survived and continues to thrive today.

Since the birth of the regulation, businesses have been forced to rejig their systems to meet the principles and rights of data subjects. Most businesses are eliminating any existing data privacy risk within their processes.

The regulation has given data protection authorities to fine those companies that violate the data protection regulation. British Airways, Equifax, Facebook, Google, just to mention those four companies have been fined for their insouciance and “devilish” way of handling data.

The GDPR ripple reached other continents—Asia, Africa, and the Americas. In Africa, for example, Nigeria, South Africa, Ghana, and other countries have come up with a simulacrum to GDPR. It has inspired companies in these places to treat data processes in the right manner.

The introduction of the regulation opened a wide array of opportunities for individuals in the privacy space and even individuals outside the privacy and tech space. There has been, since GDPR became a new norm in global economies, a surge of data protection experts. It has created new jobs and new roles within business functions—Data Protection Officers, GDPR SMEs, GDPR analysts, and GDPR technical analysts.

GDPR informed data subjects about their rights with regard to how companies process their data. Individuals now know the wrong and right ways companies may mishandle their data.

Most companies take the regulation seriously as some have expanded their budgets to build robust technical systems that handle privacy matters. Some companies have included in their offerings various technical options for customers to manage their data. For example, one can easily opt-out of receiving marketing emails with the click of a button. Other companies claimed the regulation has helped them change their product and service offerings to further enshrine their commitment to data protection laws.

There is room for improvement in the regulation. Especially with the issue of consent management in general. There is still some confusion about what a company does when someone accepts cookie policies, how to collect further consent in case of multiple processing, and most importantly, opting-out options.

In the case of public authorities using their powers to process data “necessary for the performance of a task carried out in the public interest.” It is hard to say whether public authorities would really respect the regulation. An example exists during this pandemic. To avoid the spread of the recent COVID-19 flu, various countries in Europe are developing tools to monitor people who have the virus. This era will test how the so-called developed countries will fare in granting freedoms to individuals.

The regulation will be tested as technology advances and new tech companies are built. Artificial intelligence and machine learning companies, for example, are doing this with the internet of things (IoT devices), medical advancement, and other facets. It is one thing for humans to advance technologically and it is another thing for regulators to catch up with the ever-changing dynamics of technology.

So far, GDPR has proven that companies can process data technically and legally, helped curb the excessive use of data, and has changed how businesses operate in modern times.

In all, it has been a good two years for GDPR. The next couple of years would be interesting to watch as the regulation welcomes new technologies. It is either GDPR keeps evolving to catch up with the advancement in technology or it loses steam as new technology overtakes it. I doubt the latter will happen. What will happen is that regulators would keep adding fuel to the permanence of the clauses existing in the regulation. In another five years, GDPR will still be a baby learning to get a full grip of the business environment and delivering further guidance to companies in Europe and across the world.