If we were to think of the data protection world in a broader historical context, we could say we are entering a new age. The decades prior to the reform of the previous EU data protection framework were, let's say, pre-history. Basic rules governed the collection and use of personal information in a very analog way. Then, about 10 years ago, the need for a new type of framework — more robust yet progressive enough — became palpable. That led to a period of arduous legislative activity that culminated with the coming into effect of the EU General Data Protection Regulation in May 2018. Since then, the effect of the revised framework has been relentlessly steady.
And this is just the beginning.
Though it has been less than a year, we can now see the direction of travel. The GDPR has brought with it significant change. What emerged after the unprecedented and nearly irrational rush to compliance with the new law is now in full view but still largely unexplored. The reason for this is that the complexity behind the GDPR is something that no other data protection legal system had witnessed. From very prescriptive rules to the all-so-woolly "risk-based approach," the GDPR is a legal masterpiece riddled with technical challenges. Many of the concepts, principles and rules require careful interpretation to be properly understood, observed and enforced. That will take time — certainly years, in some cases, decades — and in the meantime, we can only take a stab at formulating our own understanding.
From very prescriptive rules to the all-so-woolly "risk-based approach," the GDPR is a legal masterpiece riddled with technical challenges.
Something that is certain is the GDPR's global impact. Organizations across all corners of the world are looking at it. In many cases, they wonder whether the law even applies to them while accepting that adopting suitably compliant practices is probably a wise thing to do. Such has been the effect of the GDPR, that legislators around the world are copying its ideas and content. The international domino effect has probably even surpassed the expectations of European policymakers and regulators, who are as overwhelmed by it as the foreign entities that feel compelled to abide by this ambitious law.
When the same policymakers and regulators are asked about what aspect of the GDPR they are most proud of, they often refer to one of the primary objectives of the legal reform: putting people in control of their data. Like many other areas of the GDPR, this is work in practice, but it is unquestionable that the rights available to individuals are being exercised more than ever before — even when the scope of those rights has not actually changed that much.
The organizations that are subject to the GDPR are certainly occupied identifying compliance priorities and implementing suitable measures to fulfill a whole patchwork of obligations. During these initial months, it has been tempting to aim for the low-hanging fruit and the easy wins — records of processing, transparency mechanisms, data-processing agreements, the odd policy. However, more difficult and arguably more important steps remain: putting data minimization, data protection by design and by default, and data protection impact assessments into practice in a seamless and truly pervasive way.
All this work will probably increase its pace as regulatory enforcement starts to bite.
So far, we have seen an extraordinary level of coordination within the European Data Protection Board, which has become even more prolific than its predecessor, the Article 29 Working Party. But enforcement has been relatively measured. As regulatory activity develops, so will the sophistication of civil society, which is already actively committed to playing an influential role in the further practical impact of the GDPR.
Next year will bring even more change but not necessarily all the answers. We'd better get used to living with uncertainty because that is always a sure consequence of entering a new age.
If you want to comment on this post, you need to login.