I was wondering what the feelings were (esp for those in the EU) about the new General Data Protection Regulation (GDPR) that comes online in 4 months...
GDPR is currently a big thing in the EU. Both companies as well as legislators are preparing for the 25 May of this year and the feelings are rather mixed. Although a number of specific interpretation guidelines have already been drafted, still some confusion remains. A good example is a new institute of Data Protection Officer - for instance does it need to be a natural person or could it be a specialised company? It seems that a DPO should be a natural person but the GDPR does not exclude a legal person either... Moreover, companies are also afraid that due to the specific requirements on personal and professional qualities (combination of legal and technical education) of a DPO it would be impossible to find such a person. Last year, it was estimated that only in the Czech Republic approximately 10.000 DPOs would be needed...
On the other hand, the GDPR is an opportunity for new companies that can utilize it to create new business models, such as certification of good practice, etc.
From a legal researcher's point of view, GDPR is a good thing though. It should really ensure almost the same level of protection for all natural persons in the EU. It will definitely reduce costs in cross-border litigations and help people to control their data more efficiently. Unfortunately, also the GDPR could be circumvented but it is an improvement from the existing fragmented data protection law. I guess and hope that the legal framework will improve continually.
Thank you so much! The subject came up recently during discussions with a colleague of mine in the UK and I was hoping to get more information, which you provided very nicely! Thanks again.
Happy to share my opinions :) If you would need any information on the GDPR, do not hesitate to send me a message - I deal with the GDPR on a daily basis and focus especially on biometrics, behavioral biometrics as well as profiling. Have a good day.
I absolutely agree with you point of view. Overall GDPR has a positive impact on the privacy protection and not just in the EU, but also in the third countries.
Nevertheless, I wouldn't be so optimistic about this Regulation.
It didn't resolve a number of very important issues, such as, for instance, right to be forgotten. There is still no mechanism to be really "deleted".
Furthermore, such requirements as privacy 'by design' and privacy 'by default' lead to the huge companies' spendings to comply with this. For Big players, it is not so sensitive, but for a small business this can lead to the termination of their business.
Me and my colleagues are not very satisfied with this outcome:)
Dear Bruce,
Maybe this topic already not actual for you anymore, nevertheless, I decided to share my opinion in case you would be interested in another point of view.
Dear Anneke, thank you so much for your comments! I am glad you shared your thoughts with us. On the technical side of things in cyber, I believe that it is almost impossible to be "forgotten". Any laws that would state that a company has to enforce that concept will be probably ignored or fought hard in the courts. Great discussion!!
Dear Alžběta, and everyone: since I first proposed this question months ago, I wasn't certain on how much GDPR would affect non-EU people. Well now we know! Jan was right about those companies with the infosec house being in order would be ok. But there has still been quite a stir about GDPR. Just got back from a conference in Germany and had several long conversations with attendees off line about it. Thanks again!