The Wall Street Journal has reported that one year after GDPR was implemented across the European Union (EU), officials are finally about to announce enforcement actions that could result in large fines. Until now the extent of monetary penalties issued has been relatively small. Authorities in Ireland and the United Kingdom, however, say this time was used to build the necessary cases against companies that contravene the new data protection rules.
The nature of personal data has changed dramatically in the last two decades. Our daily lives are increasingly being driven by the use of digital data. As the online world expands, and increasingly runs in tandem with the tangible world, the amount of digital information each person produces has grown exponentially. Every internet search, tweet, online purchase, or internet cookie has the potential to be linked back to a person, and therefore represents a possible threat to privacy.
The size of the problem is demonstrated by the rise in the amount of data being created and held in databases.
It was estimated the total amount of data held in the world was about three exabytes in 1986. By 2011 that was estimated to exceed 300 exabytes and since then it has continued to grow enormously. Today, it is estimated the US alone has over two zettabytes of data.
Privacy has therefore become a major concern for governments and individuals. Businesses have an obligation to protect their customers, but the scale and variety of data they may hold can make this difficult.
Regulation (EU) 2016/679, the General Data Protection Regulation (GDPR), was implemented in EU and European Economic Area (EEA) countries on May 25, 2018. GDPR replaced the Data Protection Directive 95/46/EC.
GDPR asserts the right of the individual to control their personal data. It applies to all commercial operations processing personal data linked to European citizens. This means, organizations not based in EU/EEA countries can also be covered by GDPR, if the data they are using originates from a citizen in an EU/EEA country.
The EU has adopted a broad definition of personal data – “any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.”
In simple terms, businesses need to protect an individual’s IP address or cookie data with the same vigor they extend to shielding a customer’s name, address or social security number.
GDPR has given individuals eight data rights, which organizations must comply with:
SGS offers the EuroPrivacy certification scheme to help businesses:
SGS offers a comprehensive range of services to help organizations understand and comply with data protection regulations such as GDPR. Our experts can assist in the implementation of compliant practices, helping businesses to protect themselves from the risks associated with data collection and retention.