GDPR: Where are we now?

The General Data Protection Regulation (GDPR) is a major step forward for data protection and privacy with a truly international impact. Back in 2018, many people said that it would change the face of the digital world. In this article, we will have a look at GDPR and assess the impact of the regulations since their inception. If you have not read our articles on CCTV and GDPR and Where is it appropriate to install CCTV cameras? then do head over the read these.

A quick overview of GDPR

GDPR bought a harmonised framework for the European Union. It bought the right to be forgotten, guidelines for clear and affirmative consent, and serious penalties for failure to comply. GDPR now applies to over 500 million people in 28 countries.

• The Regulation 2012/0011 was adopted officially on 27 April 2016
• It came into force on 24 May 2016
• Member States had to transpose it into their national law by 6 May 2018
• The provisions of the Regulation were applied on the 25 May 2018

The global effects of GDPR

In the USA there is no single comprehensive federal law regulating the collection and usage of biometric data. Washington, Illinois and Texas have all passed their own biometric privacy laws since 2017. California enhanced its privacy protection regulation at the end of 2018. The California Consumer Privacy Act (CCPA) is often touted as a potential model for a US data privacy law.

The USA is interesting because many government agencies and industry groups have created self-regulatory processes. Apple, Facebook, Google and Microsoft have been self-regulating for some time with one could argue, varying degrees of success. Debate continues as to whether a country-wide law will ever be passed. In some states, such as Illinois, you can be sued if you collect biometric data like fingerprints without opt-in consent. San Francisco has since banned the use of facial recognition technology by the government.

In 2017 in India, the supreme court ruled privacy a ‘fundamental right’ in a landmark case which illustrates how data protection has become a top priority for many democratic countries. The Aadhaar programme – the worlds largest biometric ID system –  has been divisive to say the least, and the court judgement that it is unconstitutional for private companies to use Aadhaar data has had a massive impact on the programme. This year Japan put in place a set of rules to bridge differences between its data protection system and GDPR.

What is biometric data classified as in the EU?

EU data privacy law defines biometric data as a ‘special category of data’ and strictly governs its processing. Biometric data is ‘personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allows or confirms the unique identification of that natural person, such as facial images or dactyloscopic data’. GDPR protects EU citizens from having their information shared with third parties without their consent. However, there are some exceptions to this:

• if consent has explicitly been given
• if biometric data is necessary for carrying out the obligations of the data controller or the data subject in the field of employment, social security or law
• if it’s necessary to protect the vital interests of the individual and they are incapable of giving consent
• if it’s vital for legal claims
• if it’s necessary for reasons of public health

Objectives and Provisions of GDPR

The main idea behind GDPR was to give people back control over their personal data, while making it simpler for companies to understand and implement a regulatory framework. GDPR also acknowledges and deals with the immense potential of biometrics.

1. Right to be Forgotten
   Unlike the old days, when people were harvesting emails without consent, consent must now be explicit. Subjects have the right to withdraw consent at any time.
2. Data breach must be notified within 72 hours
   GDPR now levies massive penalties if companies do not disclose a data breach within 72 hours.
3. Not just the EU
   Non-EU organisations are now subject to GDPR where they process personal data about EU subjects. This means that GDPR has an impact outside of the EU.
4. Privacy by design
   Data usage should be limited to what is necessary. This means that data shall only be collected for ‘specific, explicit and legitimate purposes’. It must not be processed in ‘a manner which is incompatible with those purposes’.

GDPR so far….

Many people were quick to scaremonger in the months leading unto the implementation of the regulations, but what has really happened? The EU Commission reported in May 2019 that 144,376 queries and complaints have been filed, 89,271 data breaches reported and 5 fines totalling £52 million issued.

The biggest fines so far:

• British Airways 183M in July 2019 (poor security standards had compromised the personal information of 500,000 customers)
• Marriot Hotels £99M in July 2019 (339 million customer records exposed during a data breach)
• Bounty UK £400,000 in April 2019 (illegally sharing the personal information of more than 14 million people)

On a side note, Facebook was fined £500,000 in October 2018 under the old General Data Protection Act 1998 for its role in the Cambridge Analytica Scandal. Had GDPR been in effect the fine could have been as high as 10.3 billion. Many people have said that the £500,000 fine was nowhere near harsh enough.

The pace of change

Privacy demands rigorous accountability. While we are seeing a massive trend towards the adoption of a global conscientious, we are a long way off having one regulation that covers the world (and that will probably never be the case). Fundamentally though, mismanagement of information is no longer tolerated as it once was, and people are now much more aware of their right to control what is done with their personal data. In the long term, this can only be a good thing.

If you are thinking about investing in a biometric system for managing access or time and attendance, or want to use CCTV to help protect your premises, we can help you with all aspects of GDPR compliance. Why not speak to a member of our friendly sales team on 0333 567 66 77 (UK) or 01 68 333 68 (Ireland). Or feel free to drop us an email to [email protected].