When the General Data Protection Regulation (GDPR) was established on the 14th of April 2016, EU legislators had hoped that it would “harmonise” data privacy laws across Europe, as well as give greater protection and rights to individuals.
On the face of it, it sounds wonderful. But, when GDPR came into effect on the 25th of May 2018, it meant big changes for the public, as well as organisations that handle data.
Business had been given two years to get their affairs in order and to ready themselves for a new way of data processing and storage. But was it enough time? And, now more than three and a half years since the new data rules were formed, have companies really got to grips with it properly?
Laura Irvine, partner at Edinburgh-based DCS Legal, wrote the GDPR Guide for the Law Society of Scotland, and believes the new regulations have had a positive impact on SCottish businesses, but believes there is yet more work to be done.
“I hope that organisations have come to recognise the importance of looking after and using personal data properly,” she says. “Not just to avoid fines but to enhance their reputation. I do think that individuals are more aware of these issues and are more willing to challenge organisations. And, of course, we all receive fewer marketing messages.”
But, according to Irvine, there are misconceptions surrounding the regulation, which is clearly causing confusion for companies and individuals alike.
“There are still a huge number of myths about the GDPR and what you can and cannot do with personal data,” she says. “Some of this stems from ‘so called’ experts getting it wrong and some stems from the complexity of the issues which are often badly explained.
“This has caused some organisations to use the GDPR as an excuse to, for example, stop sharing information when they did before. However, for other organisations the GDPR was an opportunity to think about how they use personal data and to reassure clients, customers and service users that they are getting this right and can be trusted.”
- Labour Party Fends Off ‘Large-scale and Sophisticated’ Cyber Attack
- PureLiFi Raises $18m to Fuel Consumer Market Tech Rollout
- Google’s New ‘App Defense Alliance’ to Tackle Malware Problem
So where do we go from here with regards to data protection?
“The black letter law is there but there needs to be better guidance in plain and simple language to allow organisations and people to understand what they are doing with personal data and why it is important to get it right,” Irvine notes.
“There also needs to be more enforcement action, which is not focused on large scale data breaches, but instead looks at some of the day to day issues where damage is caused to individuals by, for example, unfair processing or retaining too much data.
“And we need the new ePrivacy Regulation to really address some of the online issues.”
This is a proposal for greater regulation of electronic communications within the European Union, in order to increase privacy for individuals and entities. “But that is a long way off,” adds Irvine.