What's On

GDPR’s second birthday — what does it bring to us? 

 

The implementation of the EU General Data Protection Regulation has surely brought a sea of changes to the data privacy landscape, not just in Europe, but also around the world. Two years on, it is not an exaggeration to say that the impact of the GDPR is being felt everyday far and wide, from industry regulators to the business sector, data controllers and data processors to individual data subjects. It was indeed a trendsetter and catalyst for change, given its updated data protection conventionally and the explicit compliance requirements on the part of the organizations established outside EU in specific circumstances. As a regulator from the Asia-Pacific region with close economic and business ties with Europe, it is my distinct privilege to share my initial thoughts on the operation of the GDPR on its second birthday.

 

It is trite that technology neutral legislation allows for the possibility of legal statutes to cope with information and communications technology development in a dynamic manner. While it is often said that laws always lag behind technological development, the rapid pace of innovation in our day and age makes most related legislation stale in little time. As a landmark piece of legal instrument, the GDPR’s technology neutral approach keeps the regulatory requirements constantly up to date without the need for frequent reviews. In addition, the adoption of risk-based approach in data protection is another key to the effective implementation of the GDPR. The approach determines the level of data protection through an assessment of potential harm, allowing data controllers to proactively manage the risks involved with their business operations. This pragmatic approach is well poised to be welcome by the business community.

 

That said, the changes to the privacy landscape brought about by the GDPR cannot be underestimated. Since its introduction, the GDPR has flagged up awareness and understanding of protecting and respecting personal data privacy right with penalties that should serve as effective deference to any noncompliance. In this regard, the GDPR is very successful in returning control of personal data to individuals or data subjects as part of their inalienable human rights. It also results in a lot of companies building in privacy accountability as part of their corporate governance strategy, an achievement that should definitely be applauded.

 

At the first glance, the GDPR is wide encompassing, perhaps at least from the eyes of those outside Europe. However, the GDPR also sets a benchmark for the world, almost like a golden standard that other legislation should consider meeting. It is not a coincidence that more and more similar laws and regulation are being enacted around the globe nowadays. For example, in the West, we have the California Consumer Privacy Act, coming into effect Jan. 1. In the East, the India Draft Data Privacy Bill is pending Parliament’s approval. Hong Kong is also in the process of reviewing its Personal Data (Privacy) Ordinance by making references to GDPR standards and guiding principles. This is a welcoming improvement as it tends to reduce fragmentation of legal requirements cross-nationally, though the issue of interoperability is another step to go forward.

 

Technology evolves every day, and so will data protection frameworks. The GDPR is definitely not the end of our journey but a very firmly grounded starting point. It may, however, not be taken as a straitjacket as small and medium enterprises with less resources could find compliance too challenging. Of course, from the perspective of a regulator, it is imperative for every entity to be treated equally before the law, regardless of their size or resourcefulness. It might fall on us as regulators to engage the SMEs with more guidance, advice and incentives for their compliance readiness.