|
|
|
The General Data Protection Regulation (GDPR), which comes into force today, aims to harmonise and reinforce the legal framework of personal data protection in Europe. It is an update of the previous Directive of 1995, which had become clearly obsolete as a result of the rapid development of the new technologies. New realities such as ‘big data’ and the processing of information via social media required a more solid and effectively protective regulatory framework.
For users, the Regulation means they will have greater control over the use that companies make of their personal data. An example of this is the fact that consent to processing has to be unequivocal, by means of an affirmative expression of willingness or a positive action, tacit consent no longer being admissible.
Furthermore, for citizens the Regulation introduces some new features such as the right to portability, meaning that consumers can ask companies to hand over all their personal data in order to take or send it to another company; and the “right to be forgotten”, which is the power to prevent the dissemination of personal information online when its publication is obsolete or has become irrelevant.
For companies, it introduces a principle hitherto unknown in continental law, that of “proactive responsibility”, which involves the need to adopt a diligent attitude in processing personal data, applying technical and organisational measures appropriate to the Regulation and being able to demonstrate that they are proactive when asked to do so by the authorities. For example, breaches of security must be reported to the AEPD (Spanish Data Protection Authority) within 72 hours, which means internal protocols must be established to handle them.
Similarly, companies must be more transparent, informing customers how they process their data by means of concise, intelligible easily accessible information in clear and plain language. The sanctions regime is tougher too, with fines running into millions and even up to as much as 4% of a company’s annual revenues.
It is evident that with all these changes plentiful resources will have to be assigned to adaptation: a study by IDC estimates that Spanish organisations will invest €140 million during 2018 in modifying their processes and systems, 44% more than in 2017. However, implementation of the new rules may also provide an opportunity to transform and rationalise the way we organise data, facilitating more effective risk management. The supervisory authorities will also need greater resources to be allocated to them in order to cope with the coming increase in responsibilities.
The Regulation comes at a time when technological change is transforming companies. The market is seeing the emergence of numerous operators that base their business model on the value they extract from mass processing of data. The use of ‘big data’ provides very valuable information on consumption habits of customers, who increasingly value personalisation of services. Users are aware of how useful it is to share their data and are prepared to do so providing they trust the company they entrust them to and perceive that they get something in return.
In this new environment, the companies that are able to develop data analytics to complement their traditional services will obtain a competitive advantage in the market. The new regulations seek to rationalise and control the use of this plethora of information and to make users aware of the use of their data in the digital market.
The Regulation also extends its territorial reach, because it affects companies located outside the EU when they are processing data of users within it, which obliges the so-called big techs, located in other countries, to comply with its provisions. At the global level, following scandals such as that of Cambridge Analytica, the need for strong regulatory frameworks is clear, and the Regulation may function as a global standard.
The challenge for companies will be to comply with the requirements of the Regulation while at the same time providing a satisfactory service to the customer, in the ever more competitive environment of the data economy.