The origin of the GDPR legislation: why exactly?
GDPR: a legislation that raises a lot of questions for companies. Sometimes justly, but most of the time unnecessarily. I am going to write a small blog series about this legislation, each blog about a specific topic that is based on a problem which I get questions about in my daily work.
In this blog I will give you a short and general summery about GDPR. What is its origin, what has changed and what is the purpose of GDPR?
Situation before the introduction of GDPR
In the ‘before’ situation, every European country had his own legislation about protecting the personal data of European citizens and their privacy and security. That went well for a long time, but most legislation were not designed for a technological revolution and additional developments, like big data analysis. In short, the old legislation of most European countries was outdated and no longer met the demands to guarantee the privacy and security of personal data of the European citizen.
Let’s look back on what happened the years before GDPR. Organizations felt the need to analyze online behavior in order to respond on that. They do this to stay ahead of the competition, but also because the consumer, who is online much more, asks for this. In order to better serve the website user, (personal) data is often required. Because there were no guidelines with regard to what is permitted – and what is not -, organizations started to collect huge amounts of data without properly informing the website user and asking them for permission. In addition, there often is no opt-out available, with the result that the user has no choice but to release his data for analysis when he visits a specific website.
The previously mentioned scenario was considered problematic by the government in the long run, that is why GDPR was created. The law was approved by the EU Parliament on April 14th, 2016, which means that is has been applicable legislation ever since. However, the parliament also realized that this legislation would have a significant impact on many organizations. That is why ‘we’ have had more than two years to write policies and procedures and to technically arrange everything so that you as a company comply with the law. That term is now almost at an end, and from May 25th, 2018, the law will be enforced. So, if you do not have a policy after that, no procedures to comply with the rights of the European citizen or, for example, you still collect personal data on a large scale without thinking about it, there is a chance you will be fined by the EU.
DPR wants to do something about the protection of European citizens. This is the main goal of GDPR. This legislation does not only apply to companies based in Europe, but is relevant for all organizations that collect personal data from European citizens.
GDPR also wants to give frameworks to organizations that collect personal data. Because these frameworks were completely lacking in recent years, many organizations are currently totally unaware of what data they actually have, where this data is stored, and who have access to this data. GDPR wants to change this. Data collection is not completely forbidden, but as an organization you have to request permission from the user and have a good reason to collect this data.
It is also good to mention that GDPR is currently deliberately vague. The frameworks have been kept as large as possible, so that as much as possible is covered. Only after May 25, 2018, when enforcement will take effect, and perhaps the first lawsuits will follow, will the frameworks become really clear.
Are there questions or problems your organization encounters about GDPR, or do you have a general question? Please let me know! I’ll gladly look it up for you and you might see the answer in one of my future blogs! You can also check our guidelines for GDPR.