European data protection regulation: a year on
Europe’s General Data Protection Regulation (GDPR) has been in force for more than a year now. Ana I. Segovia of BBVA’s Regulation and Internal Control department reflects on the legislation and the impact it has had during this time.
Last May marked the one-year anniversary of the enactment of Europe’s General Data Protection Regulation (GDPR). Institutions and companies alike are taking stock of what this relatively new regulation has meant both in Europe and further afield. First, it has clearly advanced public awareness and recognition about the right to data protection.
As the March 2019 Eurobarometer survey attests: 67 percent of survey participants said they have heard of GDPR; and 36 percent indicated that they know what it involves. Furthermore, 57 percent of those surveyed say they know which authority in their country is responsible for protecting personal data rights. This represents a 20-percentage point increase from the 2015 Eurobarometer survey.
Supervisory bodies are also analyzing the regulation’s impact. The European Data Protection Board, the institution that consists of supervisory bodies from EU member countries, announced that the number of queries and complaints received by the authorities has been on the rise: in the past year more than 144,000 queries and complaints and more than 89,000 notifications of security breaches were received. Lack of transparency and valid consent are the most common causes for complaint. These are precisely the reasons cited for the largest fine for infringement to date (€50 million) levied against Google by the French authority (CNIL). Nonetheless, it is worth mentioning that heavy fines have hitherto been infrequent.
For enterprises, data protection regulation has involved a financial commitment and the adoption of measures that include a change in the way they handle their customers’ data. Businesses have had to transform their processes and review their data retention and archiving policies in order to ensure compliance with the regulation. Consequently, there has been a breakthrough in data governance and strategic decision-making about its use. This has allowed businesses to deepen their relationships and level of trust with customers, where the user experience as relates to privacy can represent a competitive advantage.
Despite the generally positive assessment, there is still progress to be made. In a digital economy where the financial value of data is a key element, the customer must be able to extract value from his or her data. To this end, portability is a newly recognized legal right that stipulates there must be simple, real-time mechanisms in place that give customers – and third parties when they have received customer consent – control over their data. It is therefore crucial that regulators build on current regulation, which is insufficient in the new environment. For example, blockchain is a technology the presents significant complexity with respect to the practical implementation of the right to be forgotten; and artificial intelligence is hard to reconcile with the GDPR principle of data minimization. With the emergence of these kinds of new technologies, legislation needs to be developed to enable businesses to work within a framework of legal certainty.