Well, has it been two years already? The General Data Protection Act (GDPR) came into operation on 25th May 2018 in a fanfare of data protection fuss and focus, and it’s been humming away in the background ever since. At the time, some likened it to the Millennium Bug in its potential to disrupt economies throughout Europe, and a lot of the emphasis was inevitably on those huge fines that could be used to beat errant companies into submission.
In fact, as the UK Information Commissioner’s Office was at pains to point out two years ago, GDPR wasn’t the same as the Millennium Bug, but it is probably fair to say that the eerie silence after 25th May 2018 does have a few similarities with that other historic anti-climax. That’s not to say that the data protection authorities haven’t been busy since then, or that some big fines haven’t been issued against big companies; but the fears of the silent majority of organisations that the GDPR would immediately be a big stick used against the little guy for small errors in their privacy policies or email marketing strategies really haven’t come to pass.
What the GDPR has certainly achieved is to put data privacy firmly on the agenda for many more organisations (particularly small to medium sized ones) than before. In the UK, the Data Protection Act had been around since 1998 so it would have been reasonable to assume that most companies were already following good practice. But the publicity surrounding the GDPR and its huge potential fines seems to have been a first introduction to the idea of data protection to many organisations that hadn’t previously given it much thought. GDPR has succeeded in generating the kind of everyday conversations that the Data Protection Act simply didn’t seem to warrant. Previously the concept of a local hairdresser wanting to discuss data protection with its customers would have seemed slightly surreal, but the GDPR has brought such conversations into the public mainstream.
The world has been a little too busy recently with a certain other matter to worry too much about Brexit, but this is still happening and will have an impact on data protection at least in the UK. The Data Protection Act was revamped in 2018 and so far the indications are that UK data protection law will closely mirror that of the EU for some time to come. Efforts are underway to try to convince the EU to grant the UK an adequacy decision which would mean that UK data protection is “good enough” to be trusted with the personal data of EU citizens. But it’s not a foregone conclusion, and it’s possible the EU may make the UK sweat; after all, it could be considered a useful bargaining chip in the ongoing negotiations about future trade deals.
In May 2018 when the GDPR became law, few people would have believed that a virus could cause as much global mayhem as Covid-19 has in recent months. The unprecedented health and economic impacts have tested the principles of data protection and had some organisations (and governments) scrambling to understand what they can and can’t do under the GDPR. Striking a fair balance between privacy and the rights of affected individuals and the wider public in a situation where the stakes are so high has been a challenge for many. It remains to be seen whether the practicalities involved with contact-tracing apps will lead to any kind of shift in that balance. Adding into the mix the explosion in malicious attempts to defraud vulnerable people and steal personal data will test the parameters of data privacy and GDPR enforcement still further.
We live in momentous times where a seismic shift in health, economic and social attitudes is taking place before our eyes, and who knows what changes this will lead to? The first two years of the GDPR’s existence may come to be seen as the relatively straightforward ones, where the principles of data protection were a given. But over the next two years it’s possible that irresistible pressures will build up from multiple directions to shape the way in which privacy is perceived and alter the interpretation, if not the letter, of the GDPR for a long time to come.
To mark the second anniversary of the GDPR on the 25th May, we’re offering 15% off our award-winning GDPR toolkit until 29th May 2020. Enter discount code: GDPR15 once at checkout to redeem.