The UK general data protection regulation (GDPR) is the toughest privacy and security law in the world but it is failing in enforcement.
That’s according to a top data analyst who says that companies falling foul of data laws have often faced few, small fines giving the impression that GDPR regulation is a ‘toothless tiger’.
Introduced in May 2018 by the European Union (EU), it imposes obligations onto organisations anywhere, so long as they target or collect data related to people in the EU. The GDPR can levy harsh fines against those who violate its privacy and security standards, with penalties reaching into the tens of millions of euros.
GDPR governs the way in which we can use, process, and store personal data (information about an identifiable, living person). The current GDPR rules include the right to be informed; right of access; right to rectification; right to erasure; right to restrict processing; right to data portability; right to object and rights related to automated decision making including profiling.
The GDPR does not apply if the data subject is dead; the data subject is a legal person; the processing is done by a person acting for purposes which are outside his trade, business, or profession. Personal data processed in the course of a purely personal or household activity, with no connection to a professional or commercial activity, is outside the UK GDPR’s scope.
“GDPR has undoubtedly brought about a significant change in how organisations collect, process, and protect personal data,” Rebecca Harper, head of cybersecurity analysis at ISMS.online, said. “It has given individuals more control over their data, established higher data protection standards across the EU, and influenced standards globally.
“Although the GDPR is an EU regulation, its extraterritorial reach has meant that many organisations worldwide had to comply with its provisions if they handled EU citizens’ data. This has sparked a global conversation about privacy and data protection, leading to increased awareness and improved data practices beyond the EU.
“The GDPR has also harmonised data protection laws across EU member states, replacing the previous patchwork of national regulations. This simplification has been hugely beneficial for privacy professionals and businesses, as it provides a unified framework and consistent standards for compliance. The benefits of such an approach are many; harmonising more standards in this way would positively impact businesses, enforcement and understanding.
“The regulation has also increased awareness about data privacy among individuals and organisations. It has made companies more accountable for how they handle personal data and has given regulators more power to enforce compliance and impose fines for non-compliance.”
The GDPR applies to organisations that process the personal data of EU citizens or residents, or if they offer goods or services to such people, you even if they are not in the EU.
Organisations that violate the GDPR can face fines. There are two tiers of penalties, which max out at €20 million or four per cent of global revenue (whichever is higher), plus data subjects have the right to seek compensation for damages.
The GDPR defines an array of legal terms covering the collection and use of data.
Personal data — Personal data is any information that relates to an individual who can be directly or indirectly identified. Names and email addresses are obviously personal data. Location information, ethnicity, gender, biometric data, religious beliefs, web cookies, and political opinions can also be personal data. Pseudonymous data can also fall under the definition if it’s relatively easy to ID someone from it.
Data processing — Any action performed on data, whether automated or manual. The examples cited in the text include collecting, recording, organizing, structuring, storing, using, erasing… so basically anything.
Data subject — The person whose data is processed. These are customers or site visitors.
Data controller — The person who decides why and how personal data will be processed. If you’re an owner or employee in your organisation who handles data, this is you.
Data processor — A third party that processes personal data on behalf of a data controller. The GDPR has special rules for these individuals and organisations. They could include cloud servers or email service providers.
“While the GDPR imposes obligations on organisations, it also presents business opportunities,” Harper continued. “Compliance with the GDPR empowers organisations to enhance consumer trust and reputation and realise a competitive advantage, which is highly valuable for organisations looking to win business and drive revenues.”
However, while some high-profile penalties have been issued due to organisations failing to meet the requirements of GDPR, the fines have been less frequent and smaller than anticipated, Harper added. “Some fines have even been reduced after appeal, which doesn’t send the strongest message to organisations to take data privacy seriously. This does beg the question of whether GDPR has been a toothless tiger in terms of enforcement.
“With the UK currently reviewing the Data Protection and Digital Information (No. 2) Bill, which would be a significant move away from GDPR, it will be interesting to see how the lack of harmonisation with the EU will impact businesses and the level of complexity, such significantly different standards will have on companies operationally, financially, and competitively within the broader EU markets.”