GDPR: three years of setting the standard for data privacy

It's been three years since the General Data Protection Regulation (GDPR) became effective; how time flies! Since May 28, 2018, data privacy boldly stepped to the forefront of organizational priorities and in so doing elevated strategic conversations at almost every consumer-facing organization across the globe. For some, it became simply another element of their compliance strategy. For others, a confusing and frustrating requirement to implement. For consumers, it was a barrage of “updated” privacy notices and cookie banners on almost every website visited (just curious, did you actually read any of them?). Well, we have the GDPR to thank for all of these outcomes. What’s clear: organizations now regard data privacy as a strategic priority with far-reaching impacts.

GDPR’s impact

The GDPR is composed of 99 articles and 173 articles (you probably skipped those, most people do but they provide some much needed context). In the U.S. we are accustomed to using control frameworks, like the National Institute of Standards and Technology (NIST) or the Trust Services Categories used for System and Organization Controls (SOC) 2 examinations, that provide a level of assurance regarding compliance and focus on specific controls objectives and criteria. In contrast, the GDPR is based mostly upon principles. GDPR’s principles—lawfulness, fairness, transparency, purpose limitations, data minimization, accuracy, storage limitations, integrity, confidentiality and accountability—caused confusion for those who simply wanted clear direction as to whether multifactor authentication is required or guidance for how long log files must be retained. Now, organizations are challenged to evaluate their "processing" activities against the potential negative impacts to the individuals whose personal data they are processing. Add to that actually having to determine and map what personal data is present, where it’s stored, who it’s shared with and where it came from. Oh—and don’t forget the requirement to delete the data at the end of the retention period!

GDPR’s results

Last summer, the European Commission released an assessment evaluating the success of the GDPR after year two. Paramount among the achievements is the GDPR’s position as a well-known standard across the world for data privacy. The regulation stimulated new as well as improved data privacy and data protection laws across the globe. In the U.S. alone, there were only two state privacy bills introduced in 2018, year one of GDPR enforcement. In 2021, there are more than 27, according to the International Association of Privacy Professionals. The GDPR should also be credited with revitalizing the fair information practice principle of individual rights. Early privacy frameworks established “data subject access” or “individual participation” as one of the four categories of privacy principles, but it is difficult to speculate if organizations would have accepted and executed such a request without the “pressure” of the GDPR and other emerging privacy laws.