The state of GDPR, and what could be next?

The European Commission recently completed its four-week consultation with stakeholders sharing their views on how the General Data Protection Regulation (GDPR) has been working since it launched six years ago.

The feedback from the consultation could result in changes to the rules and the way data protection authorities (DPAs) enforce them, especially cross-border cases under the “one-stop shop” mechanism.

It remains to be seen precisely what changes the recent consultation will result in, however, after six years, it is clear that GDPR has largely been a success.

Now is the ideal time for risk managers to reflect on what GDPR has accomplished and the various challenges it is facing in the coming year.

GDPR achievements and improvements

Since its inception in 2018, GDPR has been tremendously successful in strengthening the privacy rights of EU citizens.

Organisations are now much more cautious when it comes to using personal information in potentially dubious ways, as this risks putting their reputation on the line.

Financial deterrents imposed by the regulatory body act as an effective stick to ensure companies invest in the resources to meet their data protection responsibilities.

Before the roll out of GDPR, the regulatory bodies had no equivalent deterrent to use against bad actors, leading to a much more relaxed playing field when / if using personal information for commercial gain.

“Financial deterrents imposed by the regulatory body act as an effective stick to ensure companies invest in the resources to meet their data protection responsibilities.”

GDPR has most definitely improved how we handle data in Europe and will continue to evolve, as demonstrated by this consultation.

Hopefully this consultation will mark the next stage in the legislation’s evolution.

Perhaps the most common criticism of GDPR is that it largely takes the form of principles-based guidance rather than explicit rules, leaving much to the interpretation of individual organisations. That leads to onerous and costly in-house processes, which can prove a burden on the typical risk manager.

More specific detail about what constitutes ‘legitimate interest’ data according to industry or business model would doubtless help.

GDPR enforcement

The decentralised enforcement model means every EU member state’s data protection authority is responsible for investigating and enforcing GDPR breaches committed by entities headquartered within its borders, instead of doing so via a centralised pool.

However, interpreting GDPR in what may seem like isolated processes could result in inconsistent enforcement.

While significant disparities in viewpoints among enforcement agencies have yet to surface, subtle differences in interpretation are to be expected. In compliance matters, these nuances are often pivotal.

“Regulators should encourage participants to share data in a more consistent fashion with more systematic processes applying cross-border.”

If decisions made by one enforcement agency conflict, even slightly, with those of another, companies may find it challenging to discern the precise interpretation of a GDPR requirement.

Instead, regulators should encourage participants to share data in a more consistent fashion with more systematic processes applying cross-border. By collaborating more efficiently and consistently, duplication of effort would be minimised and broader consensus reached.

Clarifying and solidifying guidelines for cross-border data transfers will bridge a regulatory void and offer clearer directives for international businesses.

The pitfalls of the ‘one-stop-shop’ concept

The “one-stop-shop” principle under GDPR dictates that if a company operates in multiple EU member states and a complaint or breach arises, the investigation must be conducted in the member state where the company is headquartered.

This imposes significant resource burdens on data authorities of certain member states, like Ireland’s Data Protection Commission, which would handle all cases involving international tech giants. This challenge stands out as the primary obstacle to effective enforcement of GDPR.

Adopting a more centralised approach by pooling data protection regulatory resources to some degree across the continent could offer a solution. Such an approach would promote increased sharing of information among member states, leading to a more uniform interpretation and enforcement of GDPR.

Revising GDPR to reflect future data practices

As digital services become more intertwined with AI components, it becomes crucial to precisely define the scope of consent individuals provide when sharing their personal information. The complexity and opacity of AI algorithms pose challenges for individuals to grasp how their data is used, highlighting a pressing issue for regulators to tackle in the near future.

As noted above, a centralised approach to enforcement will also help the EU face the challenges posed by a rapidly changing market.

The development of clearer rules around interpretation would also help, making it easier for organisations to comply and for enforcement authorities to detect violations.

Centralised interpretation guidelines and clarifications about GDPR requirements would boost consistency and equip risk managers with the tools needed to respond to new challenges.

GDPR and the rise of AI

The emergence of AI and Large Language Models (LLMs) brings a wide range of tricky questions, particularly around data retention and data subjects’ right to erasure.

The boundless potential of AI also inevitably raises security apprehensions, underscoring the crucial role of globally acknowledged regulations such as GDPR in ensuring comprehensive enforcement measures.

With the rapid proliferation of AI, GDPR must swiftly offer enhanced clarity to ensure alignment with evolving technological landscapes.

“It is vital that GDPR continues to oversee how we manage our data in all manner of contexts.”

This proactive approach not only facilitates businesses in harnessing cutting-edge technologies but also mitigates concerns regarding GDPR compliance.

From the perspective of enhancing personal privacy in a world where such information has become easy to misuse, the GDPR has proven a remarkably robust and successful law.

As this world of data continues to evolve, with new technologies and channels coming onstream all the time, it is vital that GDPR continues to oversee how we manage our data in all manner of contexts.

It will be interesting to see the outcome of the recent consultation and find out where we go next on this journey.