This is the second in a series of posts penned by itslearning´s Data Protection Officer (DPO), John-Arthur Berg.
If you are a reader of technology or business-related news, it is hard to miss the doom and gloom associated with the upcoming GDPR enforcement date. For those of us old enough to remember, it has a striking resemblance to the hysteria around the Y2K bug, prior to entering the new millennium. So I guess this means GDPR is a massive change in data protection and privacy across EU?
No, it doesn’t.
GDPR is built on the same principles as current legislation. You find these principles in EU’s charter of fundamental rights (Articles 7 & 8). GDPR is built on top of the current EU directive on data protection, and ideas picked from various local law and regulations across EU’s member states.
So why did the EU decide to create a new regulation? There are two reasons that stand out.
Strengthening the rights of the individual. Today we live in an age where personal data is a currency. Some of the biggest and richest technology companies in the world make their money more or less exclusively from your personal data. And they are getting more and more clever about it. The financial incentives to violate the fundamental freedom to data privacy are huge, and the current legislation has a hard time keeping up. So GDPR explicitly strengthens the individual rights of persons, and also allows supervising authorities to impose massive fines to deter companies from cashing in on the unlawful use of your data.
A single digital market. At the core, EU (and the connected countries in EEA) is a single market. For it to work, it needs to ensure the free movement of goods, capital, services and labour. Government and corporations in the union must compete on the same terms for the market to be efficient and for competition to be fair across the member states.
As itslearning can attest, providing services across the borders in EU/EEA has historically not been smooth sailing. Local law – although all based on the same EU directives – has on occasion put up obstacles to prevent companies from competing across borders, if personal data has been involved. With GDPR, the EU wants to make sure there can be one digital market, with the free flow of personal data within the EU/EEA. This is only possible if every country follows the same rule book, namely the GDPR. It is clear from Article 1.3 in GDPR, that the EU really wants us all to play by the same rules:
The free movement of personal data within the Union shall be neither restricted nor prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data.
Only time will tell if GDPR will be effective in both strengthening the individual’s rights and creating a single digital market. Your personal data is valuable enough that some tech companies will be willing to take a fight against supervising authorities across Europe. And local governments will still try to find ways of creating obstacles to the free flow of personal data in certain areas. For proponents of the European internal market, or data privacy activists, the fight starts on the 25th of May.
For more information, please visit our web page: itslearning GDPR compliant by May 2018