The GDPR or General Data Protection Regulation represents a set of laws and rules that companies must comply with when handling confidential and/or personally identifiable data of customers. Since its introduction, it has had far-reaching effects on almost every business. The GDPR is extremely broad and as such it affects both commercial giants and small start-ups. The legislation has been around since 2018, but it was recently updated with changes that affect businesses in new ways. 

Broadening of the Scope of the GDPR

One of the major changes that the updates to the GDPR introduced is a broader responsibility for the safe management of data. The GDPR now envisages that all parties who have access to or use customer data will be held responsible for the safe use of that data. In situations where more than one data controller is responsible for data, both controllers can be held responsible for data leaks and/or misuse. This situation is referred to as “joint-controllers” in the GDPR, and it has forced companies to double and even triple-check that data is always kept secure, even when it leaves the direct control of one company and passes to another.

Tightening of GDPR Enforcement Outside of Europe

While the GDPR’s main function is to protect the data of citizens of European Union countries, the GDPR is also enforced outside of the EU. This is done by requiring companies that operate in the EU and/or collect data on EU citizens to comply with the GDPR in order to be allowed to conduct their business in EU member countries. This has been challenging for large American IT companies, such as Microsoft, Google, and Yahoo. To harmonize less stringent U.S. privacy laws, a mechanism called the “Privacy Shield” was enacted alongside the GDPR in 2018. The Privacy Shield was an agreement between the EU and U.S. allowing for the transfer of personal data from the EU to U.S.. This made it much easier for the U.S and other international companies to conduct business in the EU. 

However, the Privacy Shield expired in July 2020 and has since been replaced with stricter regulations. For example, any organization that handles the data of EU citizens must now include standard GDPR contractual clauses in their terms and conditions.

Clear Consent Required

In the previous iteration of the GDPR, there was some confusion as to the consent that a customer must give to process personal data and information. This allowed websites and other data-driven companies to get away with unclear consent requests that do not specify exactly which data will be collected and for which purpose it will be used. The changes to the GDPR have done away with this loophole and now require that companies give clear and explicit consent for any data that they will collect and/or process. The changes to the GDPR also feature a revised cookie policy that makes it near impossible for companies to use “cookie-walls” to limit or prevent users from accessing a website without accepting cookies.

Less Third-Party Data Processing in Favor of In-House Processing

Bearing in mind that the GDPR views all the parties who process or use personal data as responsible for that data, many companies have decided to limit their exposure by keeping data in-house. Many companies no longer use third-party data processing services for fear that a data leak could cost them dearly. The stricter regulations of the updated GDPR have made it necessary for companies to keep the data they use safe and secure, prompting many to use in-house processing teams rather than third-party service providers.

What are the Implications of the GDPR Changes for Businesses?

Every business, big or small, will feel the effect of the tougher GDPR regulations. Data analytics is an integral and unavoidable part of modern business and it is used in a myriad of different ways. The more stringent laws and penalties envisaged by the GDPR will make it more costly for companies to ensure that the data they use remains confidential. It is also likely that third-party data processors will see a significant drop in demand and revenue as companies shift to in-house data processing. Companies that accidentally or not breach the GDPR guidelines may also find themselves in a financial vice grip due to the ever-increasing fines that can be issued for non-compliance with the GDPR guidelines. Last but not least, it is highly likely that new jobs and services related to the protection and responsible use of customer data will be created in the wake of the changes to the GDPR.

Conclusion

The latest changes to the GDPR are designed to make it safer for EU citizens to use the internet without compromising their identity and/or privacy. Compliance with these updated regulations is not optional; companies that work with data will have to invest time, effort, and money if they want to continue doing business in the European Union.

Milica Vojnic of Wisetek regularly advises businesses on the importance of an effective Data Destruction policy for improved cybersecurity.