Regulation 2016/679 (EU), widely known as the General Data Protection Regulation, entered into force two years after its adoption, on May 25, 2018. However, it is a fact that most companies were not prepared for the changes the GDPR brings into personal data processing- changes that affect small business and large internet companies equally. What is more, the GDPR's effects are visible for law practitioners and students as well; as those will be the ones that will be called forth to ensure a company' compliance with the Regulation. Three months after its entry into force, we've asked eight lawyers, scholars and students to share their experience of the Regulation's advantages and disadvantages.
“When the GDPR was adopted in 2016, a few companies decided to put aside a special budget for compliance, even though they believed that nothing would happen. Still, large companies spent around 10% of their turnover to become compliant, knowing the risks they were facing. The GDPR came with a set of requirements aimed at protecting the personal data of the data subject (i.e. natural persons). This is not a negative thing.
Taking into consideration the development of the last few years in the IT sector, the apps on Google Store and App Store, people are not aware of what data they are transmitting anymore and where these data are transferred. Just think of the amount of SPAM messages you receive every day, although you click „unsubscribe”. And you don’t even know how they got your data. So, the significant pro of the GDPR is protection. People have more rights regarding the use of their personal data than ever before. With proper knowledge and understanding, they will enforce these rights and companies will therefore become more responsible. Are you GDPR compliant? Well, this means that you respect your customer and his/her privacy above all. That is a great plus. I have seen companies that used GDPR compliance as part of the strong relationship they wanted to build with the customers.
The drawback, however, is that consultants and authorities saw the GDPR as a gold-mining field. All they could see were punishments of 4% of the annual turnover or 20 million EUR, whichever is higher. Less emphasis was put on explaining what the GDPR really implies for companies and how they could be compliant. There is also a lack of explanation regarding the legal basis for processing and to whom GDPR exactly applies. To sum up, GDPR is very good as long as one understands its basic principles.”
By Ana-Maria Udriste
Lawyer and Co-Founder at Avocatoo
“The issue of data protection is not new for the European word, but after May 2018 -after the GDPR enters into force- data protection as well as data processing became one of the biggest problems of the business environment, which is even today characterised by lack of compliance and unawareness regarding data storage and processing. The data protection audit of SMEs brought forth many problems that they had long before May 2018, but had not solved, because under the Data Protection Directive, the approach of National Data Protection Authorities and domestic courts of law differed significantly. Despite the fact that the Regulation was actually adopted and published in 2016, and both companies and Member States had the time to adapt, comply and implement new and fresh privacy policies in accordance with the Regulation, both the business environment and the Member States were caught unprepared. We will see how this new saga will evolve, but until this date, from my experience the Data Protection chapter is a story in development not only for European states, but also for overseas companies which process data even of one European citizen. The European legislator took a hegemonic path with this Regulation. To be continued….”
By Daniela-Olivia Ghicajanu
Tax and Legal Consultant
“The General Data Protection Regulation 2016/679, which along with the Data Protection Directive 2016-689-EU replaced Directive 96/46/EC, are the result of the rapid technological developments of the past few years, which call for the protection of citizens' personal data.
One of its main goals is EU-wide standardisation and harmonisation of the regulatory environment. This is why the GDPR is of general application according to the Art. 288§2 of the Treaty on Functioning of the European Union, and is directly applicable in all Member States. The advantage of this is that once they are GDPR compliant, companies can operate across EU countries and process EU citizens’ data, wherever they are in Europe, without having to worry about diverging national legislation.
Furthermore, the GDPR strengthens preexisting rights of the data subjects. Thanks to it, individuals acquire an active role regarding the processing of their personal data. The right of access (Art. 12) is expanded to include the right to be notified of a personal data breach (Art. 32). Additionally, in such a case, the data controller must inform the supervisory authority, without undue delay. Moreover, a Data Protection Officer (Art. 37-39) is designated by both data controllers and processors, with a role quintessential for the protection of personal data; he communicates with both the data subject and the supervisory authority. What is more, the right to rectification (Art. 16), which allows the person to correct inaccurate information has also been reinforced, much like the right to erasure/ “to be forgotten” (Art. 17), after the CJEU's Google Spain judgment. The latter is very crucial for the protection of private life, as many companies maintain the personal data of their clients, even if they ask for them to be deleted. Finally, the right to data portability (Art. 20), according to Recital 68 of the GDPR, grants the data subject the right to receive a copy of his/her personal data, in order to transfer it to another controller. In this way, the GDPR pursues the freedom of data traffic.
The GDPR also affords higher, special protection to children’s personal data, due to the fact that children are a vulnerable social group. According to Art. 8 of GDPR, parental consent is necessary for processing children’s personal data at the age of 13-16 years.
In addition to protecting citizens' privacy, all these modifications are expected to increase companies' customer base since the improved security of personal data systems should make them more willing to share their data in a secure environment.
On the other hand, a major concern is the cost of updating company data policies, in order to become compliant with the Regulation, which companies will have to bear themselves. The majority of small businesses, however, are presently unable to implement additional cybersecurity features and to invest in technological solutions which would allow them comply with the requests for data erasure.
Finally, I cannot omit the fact that the sanctions provided for in the GDPR are much stricter than the ones in the Directive. If a company is not compliant with the core principles of the GDPR, it will have to deal with massive fines. According to the Art. 83§5, the fines for non-compliance are up to 20€ million or 4% of a company's global annual turnover for the preceding financial year, whichever is greater.
In conclusion, the GDPR is the most essential and decisive modification to the European legislation of personal data protection in recent years. EU citizens and companies can benefit from this very powerful protection, keeping in mind that innovation always comes with high costs.”
By Giota Koutma
4th year student at Aristotle University of Thessaloniki, School of Law
“After my immersion in the depths and narrow seas of the data protection field, I was faced with the significant challenge of explaining the importance of the GDPR to our clients. None of them was aware of this regulation nor of the amount of data they provide/collect on an unsecured basis. Neither data subjects, nor controllers or processors knew that personal data refers to any information that relates to an identified or identifiable living individual, regardless of whether that business processes and stores personal data using a complex IT system or via paper-based files. Furthermore, most of them believed that drafting one or two privacy notices and ”some papers” of consent would render them GDPR compliant, and thereby, allow them to avoid the fines and bad publicity. Additionally, many of the companies were processing a great amount of unnecessary data, unrelated to their activity or the purpose agreed by data subjects. The small-medium sized business reality I faced after data audits convinced me to adapt my explanations and to be as comprehensive as possible when it comes to unfolding the necessity of implementing a wide range of data protection policies and procedures, asigning a DPO and adjusting company budgets to cover up security expenses. Putting in place the right tools and processes will greatly benefit a company, while the actions taken to comply will lead to a competitive advantage, enhance its reputation for best practices and act as a platform for better data insights.”
By Maria Claudia Andrieș
Attorney at law Bucharest Bar, Romania
“The EU Regulation 2016/679 entered into force just a couple of months ago, but even before that all media channels were filled with news concerning its application. One of the main advantages of the GDPR, besides the higher data protection standard, is its popularity, the fact that it is widely known to the ordinary public. It also has an important international impact because it has made transnational companies, such as Facebook or Google raise their data protection standards for all users. Concerning the disadvantages, the Regulation harms public institutions’ transparency and hinders the activity of most of the controllers. Furthermore, some websites refused to permit access to EU citizens and users have to accept individual processes for each website. Even under these circumstances, I rather think that the GDPR is “a positive thing” and it is only a matter of time for us to become fully accustomed to it.”
By Rus Călin Ioan
Student at Babeș-Bolyai University, Faculty of Law
“The General Data Protection Regulation was designed by the EU to harmonise data privacy laws across Europe. This regulation seems to bring complications and require much more effort from companies that process personal data (and almost all the companies work with personal data in one way or another), but I believe it was truly necessary, as we live in an era when privacy and data breaches are more common than ever. The positive side of the regulation is that the area of applicability is clearer than it was earlier, under the directive that regulates the same field. It will be applicable to every company that processes the personal data of subjects residing in the Union, regardless of the company’s location. Another positive change is that the condition of consent was made simpler and thus, the request for consent will be much more intelligible. The companies need to provide clear information about how they use data or for what purpose, and one can easily withdraw his/her consent. The problematic aspect of the GDPR is that many firms (especially the small ones) which can’t afford legal advice, may receive severe fines, if they fail to implement the GDPR, to the point where they might have to shut down their businesses. I think Member States should provide guidance on the GDPR and help companies understand the obligations it imposes (e.g. who can become a data protection officer) instead of creating more problems (such as the law which regulates the processing of personal data by political parties or non-governmental organisations). In conclusion, we have many problems to overcome, but I think we are on a good path.”
By Orsolya Egyed
Graduate of the Babeș Bolyai University, Faculty of Law
“For a law firm, the EU General Data Protection Regulation (GDPR) had and will continue to have two major implications, in relation to: its own data protection compliance measures and the guidance of its clients in their GDPR compliance steps. And that is because data protection compliance is an ongoing, lengthy process that must be continuously redesigned so as to keep up with the fast-paced technological developments.
Although, at first, it may seem that the Regulation will disrupt a company's business, in the long run the advantages will most probably prevail: the data protection compliance process will enhance the efficiency of the business activity by not only eliminating all unnecessary data processing operations but also by putting in place clear mechanisms, protocols and principles for ensuring such compliance.
Although the GDPR replaces and, furthermore, upgrades the Data Protection Directive 95/46/EC by taking into account the current economic, legal and technical environment, it is to be noted that the GDPR is not and was not even intended to be either infallible or comprehensive. Consequently, the GDPR principles will be further developed through the case law and practice of both the CJEU and data protection authorities.”
By Theodora Stoica
“Our society is becoming ever more digitised. The pace of technological development and how personal data are being processed affects each of us every day and in all kinds of ways. The legal frameworks of the European Union (EU) and the Council of Europe that safeguard the protection of privacy and personal data have recently been reviewed. Europe is at the forefront of data protection worldwide. The EU’s data protection standards are based on Council of Europe Convention 108, EU instruments – including the General Data Protection Regulation and the Data Protection Directive for Police and Criminal Justice Authorities, as well as on the respective case law of the European Court of Human Rights and of the Court of Justice of the European Union. As an update to a twenty-year old regulation, the GDPR in particular is considered a ground-breaking legislation, designed to tackle the most pressing privacy concerns. If successful, it could function as a blueprint for all future data protection legislations across the globe. There is a certain degree of panic fueling companies’ rush for GDPR compliance as policy makers, lawyers and industry experts debate the potential implications of certain requirements and try to predict how they will be implemented. How strictly the GDPR will be applied will depend on the national Data Protection Agencies in every Member State. Speaking about the pros of GDPR, it can be said that with cybercriminals ready to exploit any vulnerability in networks, applications, website infrastructures and potential leaks from careless or malcontent employees, the security of data has never been more fragile. Businesses can no longer afford to ignore cybersecurity. Data breaches and leaks take a serious toll on companies’ reputations. Customers can lose confidence in a brand if they know that their data are not safe with them. With improved cybersecurity, clients will not only continue to put their trust in companies, but they will be more willing to share data. Companies can thus increase their customer base. One of the GDPR’s main goals is an EU-wide standardisation and harmonisation of the regulatory environment. This will essentially mean that, once they are GDPR compliant, companies can operate across all EU countries and process EU citizens’ data wherever they are in the Union without having to worry about diverging national legislations.
On the side of the cons, as it is often the case with legislation (especially that coming from the European Commission), there is a concern of overregulation. Adding red tape in the form of endless consent prompts for every data process might significantly burden customers in their enjoyment of online services and applications in an age when user-friendliness is one of the key factors in retaining customers. One of the huge drawbacks of GDPR compliance is of course the cost to reach it. In order to become compliant, it is not enough for companies to update their internal policies. Depending on the amount of EU citizens’ data they process, they must appoint a Data Protection Officer and ensure that their products all take a „privacy first” approach in their very design. This in itself implies additional cybersecurity features that need to be included in software architecture, entailing more work for the developers. A software that offers data loss prevention or data classification features should be implemented system-wide for a better insight and control of who is processing data and where. All of this, of course, comes at a cost. Another major concern is the massive fine for non-compliant companies. Businesses can be fined up to €20 million or 4% of the global annual turnover for the preceding financial year, whichever is greater.
In conclusion, the GDPR is here to stay and, with all its drawbacks, will rewrite cybersecurity standards and make companies accountable for failures to protect EU citizens’ data. While businesses are still grappling with the finer points of the new regulation, once the initial hurdle is overcome, a decline in data breaches is expected to follow. Whether the GDPR will live up to its full potential as a revolutionary data protection regulation for the 21st century or flounder in bureaucracy will be decided by the way of its implementation by the European Union and each of its Member State in particular.”
By Tudor Vidrean-Căpușan
Lawyer, Ph.D. in Law
“As with many EU regulations, when considering the initial effects of GDPR on the business environment, it would be safe to say that practice and theory are far removed. This is to say that the noble intentions which lie at the heart of adopting comprehensive standards for data protection run the risk of stirring up quite a bureaucratic mess for most companies, without adding much in the way of actual improvements to people's lives.
In theory, GDPR is here to help European citizens take control over their personal information and the way it is currently being processed, whereas the set of rights pertaining to personal data is part and parcel of EU citizenship itself. Moreover, companies are responsible for the ways in which they gather, use and store all of our personal information, whether it be sensitive or otherwise.
However, the truth is that GDPR is a complex set of rules, which can overwhelm multiple areas of any business' activity. There's always a risk that exhaustive measures haven't been taken – let alone thought of, as might be the case with larger companies, which process data in several different ways, potentially leaving some of these unaccounted for, while the fines and penalties for failing to do so are anything but affordable. Fearing the worst leads many to look for ways to comply on the surface, instead of actually doing something about the safety of our data. Most companies are now spamming their customers frantically for consent, in spite of recital 47 and article 6; both deal with the issue of legitimate interest, including the much disputed issue of direct marketing, within the wider context of any business, especially those with an appropriate, ongoing relationship with their customers. In turn, the people at the other end of this unsolicited correspondence tend to become fearful and hyper-vigilant about their data, even when this is clearly uncalled for. What is more, bureaucracy of the type that has been, until recently, limited to under-performing public institutions has quickly become the norm for private companies seeking to generously comply. Confidentiality agreements and cookies have taken over each and every website in sight, while internal documents about data protection are flooding workplaces all over the continent and beyond. But when it comes down to it, few people ever get the chance to actually benefit from the rights conferred to them by GDPR. Most agree to the terms without reading them or fear that their information has been stolen and used for some unknown, nefarious purpose. Meanwhile, companies are still processing data in much the same way they always have, with one notable difference: now they're also buried in paperwork, which makes them less efficient or productive. While having a set of universally applied standards for data protection is a laudable endeavor, the first effects of GDPR have already generated a wave of frustration from businesses and customers alike. At this point, we can only hope that this initial shock will soon wear off and that all of this will lead to more meaningful changes down the road.”
By Una Clara Sigheti
Participant Leaders for Justice Programme
By Krisztina Petra Gula
This material was published in Lawyr.it Vol. 5 Ed. 3, September 2018, available only online.