The EU's flagship data protection law, the General Data Protection Regulation, celebrated its sixth anniversary on 25th May '24.
Since coming into effect in 2018, its stringent requirements for enhanced security controls and data privacy have consistently raised awareness about the issues surrounding the storage and processing of personal data.
This regulation has set a global benchmark, becoming a model for regulators worldwide.
The GDPR was designed to protect individuals' fundamental rights and freedoms, especially their right to personal data protection.
As internet usage became more widespread, the EU Parliament recognised the need for updated guidelines to adapt to a more connected world where data is the common currency.
The GDPR was created to replace the 1995 Data Protection Directive used across various European countries.
In the past six years, €4.5 billion has been paid in GDPR violation fines, according to research by Nordlayer.
Spain, Italy, and Germany have imposed the largest fines.
Since the GDPR came into effect, individual data protection authorities have issued 2,072 violation decisions.
Spain holds the worst record, with 842 fines totaling €80 million since 2018.
Compliance has been an uphill struggle for many organisations, but its impact in helping individuals manage their data better and holding organisations accountable for data mishandling cannot be overstated.
The GDPR has reshaped how we manage data, enforcing a much-needed prioritisation of privacy rights.
I don't think it goes far enough when I look at data protection legislation in places such as Jamaica.
People criticise the administrative burden that the GDPR imposes, in particular, the compilation of records of processing activities or RoPAs.
My view is that RoPAs are very difficult to put together and maintain but not because they are a bad idea, but because organisations have allowed their data processing activities to balloon with very little control.
The challenge of documenting those data processing activities is therefore burdensome - but the requirement to bring them under control is not the thing that should be under pressure and reformed.
Another popular area for GDPR bashers is in relation to its ability to cater for the emergence of new technologies including AI. The thought process I believe, depending on what camp one is in, is either that the GDPR is too restrictive to allow AI to flourish, or that it is too weak to properly regulate AI. My view is that it's actually pretty well-placed.
Equally, the process of undertaking a data protection impact assessment on an AI project is often hampered by organisations not being able to adequately get under the skin of their AI tools.
Surely they need to in order to understand what data protection and privacy risks they may pose.
This Cyber News was published on www.itsecurityguru.org. Publication date: Tue, 28 May 2024 16:43:06 +0000