The General Data Protection Regulation - introduced in the European Union (which at the time contained the wayward United Kingdom) on the 25th May 2018 - was the beginning of a revolution in privacy for personal data. In this article we take a look at ‘what's now’ and ‘what’s next.’
Since the Eurolaw's implementation three years ago, individuals have, at least in theory, been able to reclaim their personal data and gain control over their digital footprints. The 99 articles that make up GDPR protect all of the following types of data.
- Personal information such as names, addresses and social security (or, in the British case, National Insurance) numbers.
- Web data such as locations, IP addresses and cookies.
- Data related to health, genetic and biometrics.
- Racial and ethnic data.
- People's political opinions.
When the GDPR first came in, people were not sure whether it was going to stick. Three years later, we can now say that it not only stuck but has also created a worldwide wave of privacy regulation. More and more countries have passed similar laws - not least the California Consumer Privacy Act 2018 and the LGPD (Lei Geral de Proteção de Dados Pessoais, enforcement date 18th September 2020) in Brazil. In this article, we look back at the successes and limitations of the GDPR to date and explore the changes that have come to pass as a result of Brexit.
The successes and pitfalls of the GDPR
My view is that the GDPR has, by and large, done a fantastic job in raising awareness about the importance of personal data privacy. It has brought about a real change in the ways in which organisations all over the world treat consumers' data. Firstly, many countries in Europe - not least the United Kingdom - are required to meet similar standards and independent agencies are auditing their efforts. This allows many people to feel protected wherever they work and travel in a large region of the globe.
At Mine we have seen at first hand that people care about owning their data, with more than 225,000 consumers assuming control over it by sending out three million 'data reclaim' requests. For consumers, this control also allows them to reduce the risk of 'data breaches' (offences against the GDPR that threaten their data) drastically by minimising their digital footprints.
However, there is also room for criticism. The GDPR can be very complicated, making it hard for the average person to use to his benefit without professional advice. Before Mine was founded, there was no easy way in which someone could discover who had access to his data, take control of his digital footprint or reclaim his data (by sending off right-to-be-forgotten requests, i.e. requests for data to be deleted) in an accessible, streamlined way.
How changes to the GDPR as a result of Brexit will affect consumers
Although Britain is no longer part of the EU, it still follows the precepts of the GDPR. However, the 'UK GDPR' is still slightly different from its European counterpart, especially in its definition of personal data, its child-consent ages and the rights that it bestows on so-called data subjects. Consumers should be aware of a number of factors that have changed since the introduction of the UK GDPR. This is more important than ever, because our research tells us that digital footprints have increased by an average of 55% during the pandemic.
Important changes are as follows.
- The child-consent age in the UK GDPR will be lowered from 16 to 13.
- The UK GDPR defines personal data in a more limited way.
- British organisations will not need official authority to process criminal data.
- There is an exemption from the GDPR if the processing of personal data is of public interest.
- An organisation can ignore the rights of data subjects if they inhibit its need to process data for scientific, historical, statistical or archiving purposes significantly.
- Any company that continues to trade in the EU will have to appoint an EU representative and lead supervisory authority in the EU.
How to improve the GDPR?
In terms of improvement, it is not the regulation itself that needs changing but rather the implementation of it. I believe that governments ought to do more to ensure that financial firms comply with these laws, taking action against those that do not comply. A good example of the importance of this is the updated California Privacy Rights Act, which appoints a special Privacy Protection Agency to enforce the law. If the GDPR is to take deeper hold, governments should make it easier for businesses to implement it as well.
In the years ahead, consumers will continue to look for and choose financial firms that provide them with easy access to their data and a high degree of control over it. As a result, those firms will have to make data privacy a priority and, indeed, realise that it is essential to their reputations. Because the GDPR is growing in importance, we shall see the importance of data privacy growing at banks, no matter what their size. Bankers are bound to realise that it affects more than just the data, privacy, and legal departments of their companies - it also extends to their reputations and, ultimately, to their bottom lines. We are three years in and this is only the beginning. Privacy regulations are going to change the digital world as we know it.