Connect with us
Finance Digest is a leading online platform for finance and business news, providing insights on banking, finance, technology, investing,trading, insurance, fintech, and more. The platform covers a diverse range of topics, including banking, insurance, investment, wealth management, fintech, and regulatory issues. The website publishes news, press releases, opinion and advertorials on various financial organizations, products and services which are commissioned from various Companies, Organizations, PR agencies, Bloggers etc. These commissioned articles are commercial in nature. This is not to be considered as financial advice and should be considered only for information purposes. It does not reflect the views or opinion of our website and is not to be considered an endorsement or a recommendation. We cannot guarantee the accuracy or applicability of any information provided with respect to your individual or personal circumstances. Please seek Professional advice from a qualified professional before making any financial decisions. We link to various third-party websites, affiliate sales networks, and to our advertising partners websites. When you view or click on certain links available on our articles, our partners may compensate us for displaying the content to you or make a purchase or fill a form. This will not incur any additional charges to you. To make things simpler for you to identity or distinguish advertised or sponsored articles or links, you may consider all articles or links hosted on our site as a commercial article placement. We will not be responsible for any loss you may suffer as a result of any omission or inaccuracy on the website.

TECHNOLOGY

The GDPR and the future of data transfer – by Ben Seretny, Head of DPOs, The DPO Centre

The GDPR and the future of data transfer – by Ben Seretny, Head of DPOs, The DPO Centre

Wind the clock back five years to May 2018, when the General Data Protection Regulation (GDPR) was enforced across Europe and the UK. At that time, the UK was still in seemingly endless negotiations with EU neighbours, Facebook was busy appealing a legal judgement about international data transfers, and businesses were bracing themselves for a period of uncertainty as a new, and some might argue unwanted, data protection regime was imposed.

Five years on many things have changed, but equally it appears, some things have stayed the same. We are left wondering if the principles of the GDPR have survived the stress test. Essentially, what worked, what didn’t, and what might be in store for the next five years?

GDPR efficacy 

One of the purposes of the GDPR was to harmonise data protection laws across Europe and give individuals greater control over their personal data. Following Brexit, the UK retained the GDPR by way of the UK GDPR which is sufficiently similar to the EU GDPR.

For UK and EU organisations, the GDPR legislation seeks to provide a route for transparent data management frameworks and robust data governance.

Back in 2018, the most hyped-up concern for businesses was undoubtedly the fines. Organisations braced themselves for massive penalties when, in reality, most of the enforcements at EU level were reprimands. This was partly intentional, to give businesses the benefit of the doubt and offered them time to get their house in order. However, as the years have ticked by, this has led to conjecture over whether the GDPR was merely a paper tiger, with few teeth behind the initial big roar.

Despite the recent Meta case, the biggest privacy concern for businesses isn’t the fines. Many companies see data protection as a matter of reputation and business integrity. There are financial implications for having to fix problems after the effect, and organisations have a vested interest in making sure robust data processes are implemented. They don’t want to deal with the mess of an embedded problem – far easier to get it right from the start.

Privacy by design is the way forward.

Some organisations are still struggling to understand data flow
and data supply chain management, even now, five years later.

International data transfers

International data transfer is currently a hot topic among privacy professionals, neatly coinciding with the GDPR’s fifth birthday. Meta’s record €1.2bn fine for illegally transferring EU data to the US serves to highlight the challenges of international data flow for organisations. In addition to the subsequent fallout from the Schrems II ruling back in 2020 (which invalidated the EU-US Privacy Shield), people are querying whether the GDPR’s chapter 5 needs to be ripped up and re-written.

This is one of the big questions we put to a panel of five Data Protection Officers (DPOs) in our recent webinar. And they had some surprising, or maybe not so surprising answers.

The problem with chapter 5

When GDPR first drew breath, organisations could rely upon the Privacy Shield mechanism to legitimise data transfers to the US. Then came the Schrems II ruling in 2020.

Schrems II is the common term for the case against Facebook Ireland, brought forward by Maximilian Schrems, an Austrian lawyer, and privacy activist.

In short, Schrems II invalidated the EU-US privacy shield – possibly the most important alteration to the EU privacy landscape since the GDPR. Since that ruling, the subsequent associated rulings have led to many pivots and required additional items such as transfer impact assessments (TIAs) and other supplementary measures. International data transfers have become a paperwork minefield.

Herr Schrems might argue these additional measures are not enough. They are merely papering over the cracks. So, what is the answer? There is a risk with leaving chapter 5 issues to the courts and not addressing them with hard and fast legislative change. Continuing piecemeal adjustments to the accepted international transfer framework in never-ending legal cases would also create further uncertainty. In turn, that would inevitably lead to additional expenses for organisations, as well as reduced protections for data subjects. Neither outcome is desirable.

Chapter 5 is one of the most rule-based parts of the GDPR. It states exactly what is needed for an international data transfer, in contrast to the rest of the GDPR, which is principle-based. There is a situation now where silos of data are being created in different countries with major challenges for data flow. The risk is economic isolation.

Chapter 5 seems to be moving away from one of the main principles
of the GDPR, which was to enable the harmonisation of data protection laws

The conclusion is an evolving one, much like privacy legislation in general. If the past five years have taught us anything, we can only prepare for what we currently know. Businesses are best advised to create a culture with in-built data protection from the start. And be ready and adaptable to change.  Data Protection Services – Speak to an Expert | DPO Centre

Continue Reading

Why pay for news and opinions when you can get them for free?

       Subscribe for free now!


By submitting this form, you are consenting to receive marketing emails from: . You can revoke your consent to receive emails at any time by using the SafeUnsubscribe® link, found at the bottom of every email. Emails are serviced by Constant Contact

Recent Posts