The introduction of the GDPR marked the dawning of a new age in privacy and data protection legislation, opening the door to a growing global regulatory landscape.
The GDPR forced organizations to start their data protection journeys to keep up with the evolving world of data privacy. With enforcement actions, new guidelines, international data transfers, and global development of privacy laws and regulations, organizations had to develop data policies that could keep up with the rapid pace of these changes.
So, what have we learned over the last four years, and what’s on the horizon?
Data transfers in the spotlight
Like the EU Data Protection Directive before it, one of the goals of the GDPR is to ensure the protection of EU citizens’ data when it’s transferred outside of the EU. And like Schrems I, the CJEU’s decision in Schrems II brought with it new considerations for organizations. It’s been almost two years since that decision but in the last year the European Data Protection Board (EDPB) also issued its final version of recommendations of supplementary measures, and the European Commission adopted and released its new Standard Contractual Clauses.
With the release of these documents, organizations have been continuing to prioritize the steps laid out by the EDPB, working both internally and with customers, partners, and vendors to ensure compliance.
The work is against an ever evolving backdrop. Data protection authorities (DPAs) are highlighting their Schrems II compliance expectations through investigations and enforcement actions. And the recent announcement of an agreement in principle for a new Trans-Atlantic Data Privacy Framework may provide further certainty for privacy professionals on EU-US data transfers. What is certain is that EU data transfers will continue to rank highly on companies’ and regulators’ lists of priorities for the year to come.
Operationalizing GDPR through guidance
The GDPR’s requirements are laid out across 11 chapters and 99 articles. To help organizations comply, the EDPB and national DPAs release guidance on key compliance areas.
In the last year, the EDPB has updated its former guidance on the concepts of controllers and processors, to take account of the dynamic relationships and roles in today’s modern world. It also adopted new guidance to help businesses handle data breaches, and the types of factors to consider during risk assessments. National DPAs weighed in on issues like Privacy by Design and artificial intelligence.
Down the road, we can expect to see finalized guidance on data subject rights as well as other topics, like legitimate interests as a legal basis.
GDPR in a global context
Since agreement on the GDPR was reached in 2016, there has been a proliferation of new privacy laws around the world. The influence of the GDPR is seen within these laws, with many taking a similar approach to regulating data protection and privacy.
In the US, Utah and Connecticut recently became the fourth and fifth states respectively to pass comprehensive privacy laws in the absence of a federal law. Quebec modernized its law through Bill 64. In Brazil, the LGPD’s enforcement provisions took effect. China’s PIPL and DSL were finalized and entered into force, as did Japan’s APPI amendments. Federal laws were also passed in Saudi Arabia and the UAE, whilst South Africa, Rwanda, and Botswana all had laws take effect. The list can go on and on!
The commonalities in requirements are many. However, as they say, the devil is in the detail, and mapping between these requirements remains an important task for organizations.
And there are no signs of slowing down either. The UK announced a new Data Reform Bill. Israel is looking to amend its four-decade-old law. Thailand’s first Data Protection Act comes into force next month, while India’s debate on its own law continues. For businesses operating globally, staying agile is important as ever.
More data laws are coming
The EU’s Digital and Data Strategy is on the move. The AI Act, the Data Act, the DMA, the DSA, the DGA. Running alongside is an increased desire to enhance regulation of cybersecurity, and that’s where we see proposals for NIS2 and Digital Operational Resilience Act (DORA). And though initially proposed in 2017, agreement on the proposed ePrivacy Regulation seems to also be edging closer.
These are some of the new abbreviations privacy professionals are including when speaking on issues of data protection and privacy. As more laws regulate both the use of personal and non-personal data, as technology continues to evolve, and with data being an increasingly valuable resource, organizations are thinking holistically about their data governance programs, to not only comply with these laws, but drive business value.
Industry experts reflect on 4 years of GDPR
Take a look at what privacy leaders across industries have to say about the past four years of GDPR and where the future of data privacy looks to go.
