GDPR stands for General Data Protection Regulation.
It is a legal framework that protects the data privacy rights of anyone who lives in the European Union, as well as people in Iceland, Lichtenstein, and Norway - countries that are part of the European Economic Area (EEA) single market - and Switzerland.
Note - the UK’s Data Protection Act (DPA) was amended in 2021 to integrate EU GDPR requirements. So, while the country is not technically covered by the GDPR post-Brexit, its data privacy regulations are very similar.
The European Commission started planning the bill in January 2012, as it looked to reform the Union’s data protection regulations.
Agreement by the European Parliament and Council was reached in April 2016, and GDPR came into force in May 2018.
GDPR takes the place of the EU’s Data Protection Directive - an archaic, decade’s old law, whose minimal standards for processing data inadequately protected personal information in our modern digital age.
Today, GDPR is considered one of the strictest data privacy laws in the world, and its impact since 2018 has been striking - countries and sub-states have used it as a model for building their own data privacy laws, companies have been hit with multi-million-dollar non-compliance fines, and online marketing will never be the same again.
GDPR opens consumer access to the personal data held by companies and restricts what companies can do with this information.
GDPR is built around the protection of the eight basic rights of data subjects, as laid out in Articles 12-23:
For a better grasp of all the lingo, you can refer to our Glossary of Terms.
The EU GDPR only applies to personal data, which it considers to be any information that relates to an identifiable person. Anything that can confirm your physical presence somewhere is also classified as personal data under GDPR - this includes things like CCTV footage and fingerprints.
The GDPR places certain types of sensitive personal data into a “special category” that must be treated with extra security. This includes information related to:
GDPR requirements are enforced by the national data protection authorities of EU and EEA member states, and by private right of action - as with Max Schrems and his NYOB advocacy group.
It has established a two-tier sanctions system and companies found to have misused data according to GDPR can be fined either:
According to the European Commission, GDPR applies to:
Effectively, GDPR applies to companies that collect data from or market to the European Union, or are prepared to serve citizens and residents there.
In practice, compliance is mandatory for any company that makes its website or services available to EU citizens.
It's even mandatory for companies that hold the personal data of just one person living in the EU - even if there is no company office in the Union.
Since GDPR reaches outside the territorial scope of the European Union, the number of formal GDPR exemptions is very small:
The European Commission states that some GDPR obligations will not apply to companies where processing personal data isn’t a core business activity - such as the appointment of a Data Protection Officer.
There are a range of scenarios that free companies from the oversight of GDPR.
If you’re not operating in the EU, you may be exempt from GDPR if you don’t use an EU language, currency or refer to EU consumers - this is tricky given the usage of some of these languages around the world so your intent is important.
You’d need to also ensure that EU residents can’t register for an account or purchase anything.
If your company does collect data, you may be exempt if you don’t process personal data - i.e. anything that can be used by itself to identify someone. Anonymous data is also not covered by GDPR.
There remain some specific scenarios that fall outside the scope of GDPR - they don’t apply to many private companies and vary from EU country to EU country.
Overall, they relate to very specific parts of the GDPR. Particular companies might not need to provide people with the personal data on file, or they might not need to communicate certain information in their privacy notice. Here are some examples:
Article 5 establishes seven principles that act as an overarching framework to guide the handling of personal data. Data controllers must comply with these principles, and be able to demonstrate adherence at any time.
Lawfulness means that you should have a good reason for collecting and processing data.
Fairness means you should never purposely withhold your reason for collecting and processing data, and means you won’t mishandle or misuse it.
Transparency means being open, clear and honest with data subjects about who you are and what you’re going to do with personal data.
GDPR states that personal data is “collected for specified, explicit and legitimate purposes”.
You must clearly establish your purpose for collecting data, communicate this to users in a privacy notice and ensure that your activities stay within these set limits. If not, you must acquire further consent from users, unless there is a legal precedent for doing so.
This means collecting the least amount of data required to deliver your objective
This means that all the data you collect and store is correct. It requires setting up systems and regular audits to ensure that incorrect data is corrected, updated, or deleted.
GDPR forces you to justify how long you store personal data for. This can be done by establishing a storage limitation policy and anonymizing data once the set time period is over.
This means you are required to keep personal data secure from internal and external risks, and protect it from unauthorized processing as well as accidental loss or damage.
Companies must have appropriate processes, procedures and documentation in place to prove compliance with data processing principles, and supervisory authorities have the power to demand evidence of this at any time.
GDPR has established a new standard for the data protection of EU citizens and residents, and presents a challenge to companies that risk huge fines for non-compliance.
GDPR outlines certain obligations organizations must follow, which limits how personal data can be used.
It also defines eight data subject rights that guarantee specific entitlements for an individual's personal data, ultimately giving individuals more autonomy over their personal information and how it is used.
But following GDPR requirements is not enough and you may wonder, what is GDPR compliance?
Companies must also be able to demonstrate on demand that they have policies and procedures in place to ensure that the data flow is secure at every point of the customer journey.
Compliance requires a full database audit, introducing opt-in consent systems, and establishing your legal basis for data collected.
Companies will also need to look into cookie consent, standard privacy policy wording, privacy notices and third party activities.
They’ll have to conduct risk assessments, secure data and prepare for breaches.
Everything to do with data needs to be permanently and accurately documented - all to ensure that the data rights of EU users are respected at all times.
GDPR compliance should be seen as an opportunity. Privacy has long been a key concern for consumers, and adhering to stricter data regulations will build trust with consumers.
As social and economic activities continue to migrate online, so too the importance of privacy and data protection continues to grow.
Countries around the world are taking steps to reform their legislation on the collection, use and sharing of personal data without the explicit consent of consumers - a resource now more valuable than gold (Economist).
The California Consumer Privacy Act (CCPA) is a state-wide data privacy law. Introduced in 2020, it regulates the handling of the personal information of California residents.
It only applies to commercial companies.
The California Consumer Privacy Act started life as a ballot proposal by a privacy group called Californians for Consumer Privacy. The initiative’s official language was approved by the Department of Justice on December 18, 2017, enabling the privacy group to start collecting signatures.
The CCPA was passed in the state legislature and signed by State Governor Brown on June 28, 2018. Five amendments were then enacted and signed by State Governor Newsom on October 11, 2019. The CCPA came into force on January 1, 2020, and necessitated the withdrawal of initiative 17-0039 of the Consumer Right to Privacy Act.
It is the first law of its kind in the US, and other states will be paying close attention to the practical implications as they create privacy laws of their own.
It will be replaced by the more expansive California Privacy Rights Act (CPRA) in 2023.
While a federal data privacy law for the US remains out of reach, compliance with the California Consumer Privacy Act (CCPA) is still a challenge. Only 11% of companies fully meet the regulation's standards, according to research from Cytrio. The report is based on a study of 5,175 US companies with revenues between $25 million and surpassing $5 billion over a six-month period.
The law begins by listing the five rights it has been designed to protect, so that’s a good jumping-off point:
This law has introduced potentially crippling fines for the misuse of data.
It has given the Californian Attorney General the power to fine companies up to $2,500 per violation - increasing to $7,500 if there was clear intent.
Companies that suffer a data breach also risk a class-action lawsuit and payment of up to $750 to each affected consumer.
However, the law does give companies 30 days to rectify any misuse of data, if applicable.
CCPA has often been referred to as “America’s GDPR”.
It is considered one of the strictest laws of its kind in the US and mirrors GDPR in terms of the data protection it gives California residents.
Like GDPR, CCPA includes the right to transparency, requiring companies to inform consumers about what data is collected, and how it is shared. It also gives consumers the right to access, delete, and opt-out of any data activity on request.
The CCPA provides some of the eight GDPR rights of data subjects, but is actually more constructed around emphasizing two additional rights - these are implicit in GDPR, but not recognized as rights themselves:
The right of Californians to say no to the sale of personal information (or “opt-out”)
The right of Californians to equal service and price, even if they exercise their privacy rights (or right to no retaliation)
Below is a side by side comparison of the two laws.
GDPR | CCPA | |
Jurisdiction of law | Any entity processing personal data with:
| Applies to any for-profit entity operating in California that does any of the following, annually:
|
Enforcement |
|
|
Extent of fines | GDPR has a two tier sanctions system, and national data protection authorities are empowered to fine companies either:
| The Californian Attorney General is empowered to fine companies:
Companies given a 30-day rectification period, if applicable. |
Data Protection Officer obligations | Yes | No |
Scope of information concerned | Personal data related to a person - including device identifying data. | Personal data “capable of being associated with” a consumer or household. |
Covers employees | Yes | ? |
Discriminates between processors and controllers | Yes, with clearly defined obligations for each of them. | Distinguishes between businesses and service providers, but obligational differences are poorly defined. |
Additional restrictions on sensitive data | Yes | No |
Respects right to access | Yes | Yes |
Respects right to erasure | Yes | Yes |
Respects right to rectification | Yes | No |
Respects right to portability | Yes | Yes, but only implied in relation to the consumer right of access to personal information. |
Respects right to restrictions processing | Yes | No |
Respects right to be notified | Yes | Requires that companies notify consumers “at or before the point of collection” of the type of personal information collected and what it will be used for. |
Respects right to object | Yes | Consumers have the right “to say no to the sale of personal information”. |
Respects right to reject automated decision-making | Yes | No |
No retaliation (right to not be discriminated against) | Yes | Yes |
Interpretation of consent | Consent must be freely given, specific, informed, unambiguous and withdrawable (usually through an opt-in). | Consent required for the sale of personal information. Certain actions require explicit opt-in consent like the sale of children’s data. |
Compels privacy policy disclosures | Yes | Yes |
Requires new homepage link | No | Requires homepage link stating “Do Not Sell My Personal Information” |
Data retention obligations | Yes | No |
Restrictions to profiling | Yes | No |
Restrictions to international data transfers | Yes | No |
Provides special considerations for children | Yes | Yes |
Data security obligations | Yes | Yes |
Data breach reporting obligations | Yes | Yes |
Contracts with Service Providers | Yes | Not mandatory, but beneficial |
‘Privacy by design’ obligations | Yes | No |
GDPR has inspired a wide range of national legislation that offer similar - though not identical - levels of data protection.
Below is a list of countries that the European Commission believes has laws adequate for data protection under GDPR:
Argentina
Personal Data Protection Act No 25,326, constitutional protections
2001
Bahrain
Personal Data Protection Law
2019
Individuals risk a potential one-year prison sentence for unlawfully transferring personal data out of the country.
Brazil
General Data Protection Law LGPD
2020
Canada
Personal Information Protection and Electronic Documents Act (PIPEDA)
2000
Israel
Data Security Regulations
2017
Japan
Act on the Protection of Personal Information (APPI)
2020
Kenya
Data Protection Act
2019
Mauritius
Data Protection Act
2017
New Zealand
Privacy Act
2020
Nigeria
Data Protection Regulation
2019
Paraguay
Law No. 6534/20 on the Protection of Personal Credit Data
2020
Qatar
Law No. 13
2016
South Africa
Protection of Personal Information (POPI) Act
2020
Like a number of African data protection regulations, POPI distinguishes itself from GDPR in that it only applies to South African companies processing data within the country, and is less strict on consent for non “special category” data.
South Korea
Personal Information Protection Act (PIPA)
2011, 2020
Considered one of the strictest data privacy laws in the world.
Thailand
Personal Data Protection Act
2021
Turkey
Law on Protection of Personal Data No. 6698
2016
United Kingdom
Data Protection Act (2018)
The law was amended from 2021 to integrate requirements from the EU GDPR.
Uganda
Data Protection and Privacy Act
2019
Uruguay
Act on the Protection of Personal Data and Habeas Data Action
2008
If you want to find a law that hasn’t been mentioned here, find the full list on UNCAD's data privacy information portal.
GDPR is in the news constantly of late.
In this section, you will find the latest GDPR news today. It covers GDPR enforcement, data breaches, and updates on data protection policies - both in Europe and across the world:
Scroll down the page or click the links above to jump to a section.
February, 2022 - France’s data privacy authority has ruled that Google Analytics is in breach of GDPR Article 44, which prohibits the transfer of personal data outside of the EU/EEA unless the recipient country can provide adequate data protection.
This decision comes hot on the heels of the Austrian Data Protection Authority’s similar ruling on Google Analytics in the private action brought to court by Max Schrems.
Learn more in the full news story
February 2022 - Belgium's data protection authority has fined Europe’s digital marketing and advertising association €250,000 for violating its Transparency and Consent Framework (TCF).
The decision to sanction IAB Europe and limit the use of TCF, along with the requirement to delete all current data, will impact publishers, advertisers, tech companies, and big tech companies like Google and Amazon.
Learn more in the full news story
July 2020 - The Court of Justice of the European Justice (CJEU) has this week ruled that companies cannot store EU citizen website traffic data in the US.
This landmark decision effectively terminated the bilateral agreement between the EU and US on data sharing, and has widespread implications for many companies - including the biggest players in the tech industry.
Learn more in the full news story.
Biggest Financial Penalties to Date
Date | DPA | Fine | Company | Reason | |
1 | July 2021 | Luxembourg | €746 million | Amazon | Inadequate cookie consent policy. |
2 | September 2021 | Ireland | €225 million | Data processing poorly explained in privacy notice. | |
3 | January 2022 | France | €90 million | Google Ireland | Inadequate cookie consent procedures on YouTube. |
4 | December 2021 | France | €60 million | Inadequate cookie consent procedures. | |
5 | January 2022 | France | €60 million | Google LLC | Inadequate cookie consent procedures on YouTube. |
6 | June 2020 | France | €50 million | Inadequate privacy notice. | |
7 | October 2020 | Germany | €35 million | H&M | Monitoring of employees without consent |
8 | February 2020 | Italy | €27.8 million | TIM | Variety of unlawful actions, mostly relating to unsolicited contact. |
9 | October 2020 | UK | €22 million | British Airways | Data breach affecting 400,000 customers. |
10 | October 2020 | UK | €20.4 million | Marriott | Data breach to guest reservation database. |
February 2022 - Californian lawmakers are drafting a new bill to protect the personal online data of children. This follows on from the UK’s recently enacted regulations on children’s code.
December 2021 - Zimbabwe brings into force its first privacy act - the Data Protection Act No. 05/2021.
December 2021 - Jordan’s Council of Ministers approved the 2021 Personal Data Protection Draft Law, submitting it to the kingdom’s House of Representatives.
October 2021 - Rwanda brought into law its first data protection legislation, Law No. 058/2021.
October 2021 - An amendment to Hong Kong’s data protection laws came into force, criminalizing doxxing.
September 2021 - Singapore’s Personal Data Protection Commission publishes its revised privacy guidelines.
August 2021 - Japan’s Personal Information Protection Commission issued guidelines for the 2020 amendments to its Act on the Protection of Personal Information (APPI), clarifying previously unclear aspects of the law.
September 2021 - China’s Data Security Law comes into force.
August 2021 - Cape Verde amends its 2001 Data Protection Act, bringing it closer to GDPR in on a number of key privacy issues.
June 2021 - The European Commission launches talks aimed at adopting an “adequacy decision” for the transfer of personal data to South Korea. This means that it is happy that South Korean data privacy laws meet GDPR requirements.
April 2021 - Burkina Faso enacts its Data Protection Act, replacing outdated legislation from 2004.
March 2021 - Zambia enacted the Data Protection act, becoming the 31st African country to pass data protection legislation.
Regulations and Guidance
December 2021 - Senegal’s data protection authority released regulations related to data retention periods for different classifications of data that range from six months to 10 years.
December 2021 - Kenya published its Data Protection Regulations that fleshes out its 2019 Data Protection Act. It tightens up national privacy laws on a range of issues that would be recognizable to anyone that has been following the GDPR.
June 2021 - South Africa issued POPIA guidance notes on the processing of special personal information and the personal information of children. This followed instructions in March and April on applications for prior authorization and exemptions for the unlawful processing of personal information respectively.
March 2021 - Uganda adopted its Data Protection and Privacy Regulations - this complements its Data Protection and Privacy Act and provides further details on issues that include its data protection authority, data management obligations, and data subject rights.
GDPR is a huge obligation for marketers.
Digital marketing is all about using websites, search engines, emails, and social media to drive consumer engagement with your company and boost revenue.
GDPR and marketing go hand-in-hand, with the law introducing quite a few essential requirements for marketers.
Consent is a big component of GDPR requirements. In practice, this is about having opt-ins across your marketing ecosystem.
You need to actively seek explicit permission from users for the collection and use of their personal data. Pre-ticked opt-ins are yesterday’s news as, to comply with GDPR, consent needs to be a deliberate choice.
GDPR has given EU residents more control over how their personal data is collected and used - including the ability to access, transfer or remove it.
It is your responsibility as a marketer to ensure that you respect these wishes and have systems in place to quickly access these requests.
GDPR requires that you have a legal justification for any personal data collected.
All this means is that you only collect the data you need to provide your customer with a quality product or service.
Beyond the implications of GDPR fines, GDPR compliance brings with it a range of benefits for marketers:
The information gleaned from website cookies has long been a useful tool for marketers in the digital age, enabling them to personalize outreach based on behavioral analysis that follows users around the internet.
However, GDPR requires consent for cookie collection - consent that is clear, specific, and unambiguous.
Users must also be able to withdraw their consent at any time.
Marketers need to consider how they collect, process, and handle data. With regards to the CRM, you need to look at:
GDPR compliance for email marketing means preventing unwelcome or spam communications - consumers need to have opted-in to enter prolonged email campaigns.
Companies need to seek explicit consumer consent for how their personal data will be used before sending out any emails. This includes when companies acquire email lists from third parties.
Companies developing software need to ensure that the GDPR requirements of “privacy by default and design” are built in from the beginning.
What this means is that data privacy measures are included into the software from the earliest stages of development.
At its heart, GDPR is there to protect the personal data of EU citizens - and control who a company can share this information with.
Digital marketing, and the related technology, are fueled by this personal data.
GDPR thus considers the providers of each of these platforms in your stack - as well as other third parties who can access your personal data - to be “data processors”.
Since your company remains the “data controller” under GDPR terminology, this means that you are ultimately accountable for what these platforms do with your data.
You need to be certain of the quality of this data, how it is collected, and how it flows through your martech ecosystem.
For marketers, software solutions refers to the tools that enable them to market in a smarter way - so as to better achieve their digital goals.
It’s a huge industry, with the global marketing technology market estimated to be worth $344.8 billion in 2021 (MarTech Alliance).
Martech’s growth has been striking, and the landscape has changed dramatically between 2011 and 2020.
Figures from Martech Alliance show that the number of vendors has skyrocketed from 150 to 8,000 during this time - that’s a 5,233% increase, illustrating the importance of this technology to companies today.
It’s common for various departments within a company to operate in silos, with sub-optimal collaboration processes.
When used properly, Martech can remove these silos and bring departments closer together - enabling them to work more effectively towards shared goals, while delivering a better customer experience.
Some other benefits of Martech include:
While technology is constantly changing, organizations can remain somewhat inflexible. Martech can empower companies to keep up with increasing customer expectations, but they must utilize their solutions effectively.
The range of martech options is wider than ever before.
While there is obviously some overlap, martech options largely fall into the following six categories:
Integrate different advertising and promotion platforms used for paid ads and streamline the following areas:
Improve your content creation, automation, and other processes. Examples include:
Streamline data collection and analysis; optimize your website, improve product UX etc. Examples include:
Used for improving managerial collaboration, communication, and project delivery. Examples include:
Enable your marketing and sales teams to better collaborate, automate processes, and execute sales and customer management at scale.
Such tools can in fact connect multiple departments - beyond marketing and sales, to customer support, success, and finance too. Examples include:
This category of marketing technology includes:
Simply put, your marketing stack is the collection of various technologies that your department is using.
As individual tools, they will typically only provide limited benefit work - but, if you are able to successfully marry the data (between tools and departments) and automate processes, they can be the foundations of a successful strategy.
By developing a marketing tech stack, marketing departments can visualize how their different platforms and systems are working together, with the goal of integrating everything for an enhanced internal and external user experience.
In the modern world, it would be nigh on impossible for companies to grow at the desired pace without an integrated Martech stack.
When used correctly, these tools optimize what can be achieved with the personal data on file. But it’s absolutely essential to ensure that each platform and each process is GDPR compliant.
GDPR was carried into the world on a wave of optimism about the future of consumer data privacy protection.
Yet, while it remains one of the strictest data privacy frameworks in the world, its full potential has yet to be realized.
This article runs through consumer privacy, GDPR and its effects on the future of marketing. It looks at the law’s successes and difficulties, before running through what the future holds for privacy laws and the companies that are at their mercy,
GDPR has undoubtedly increased the seriousness with which companies handle personal data, and the speed at which companies have improved security practices has been quite surprising.
Even before the massive €746 million fine given to Amazon, company board executives must have been all too aware of the risk that GDPR posed to them; it spurred huge investment in privacy policies and systems, and has created a culture of data privacy by design and accountability.
It’s projected that $9 billion will need to be spent to make the global economy GDPR-compliant (Forbes) - that’s $9 billion that is being invested in protecting the personal information of people living in the European Union.
So, while GDPR compliance has been an endless headache for companies, it’s great news for Europe’s internet users.
And, with the average salaries of privacy professionals increasing by more than $6,000 in just two years, GDPR has been pretty great news for them too.
The introduction of GDPR is also a real success for the EU, making Europe the world’s data police and standard setter for international data privacy legislation.
Multinational companies also welcome the practicality of relying on a single privacy framework for compliance across all EU member states - though this has worked better in theory than in practice.
A rising tide lifts all ships, and lawmakers in over 120 countries are taking inspiration from GDPR when drafting their own legislation for the technology sector - this global shuffle towards stronger consumer rights being a further testament to the ambition of GDPR.
In the US, only three states currently have GDPR-like privacy laws - these being Colorado, Virginia, and Connecticut. But this number will soon soar, with more than 30 states in the process of drafting bills.
Looking forward, this could be all the pressure the US government needs to intensify efforts to introduce a federal law of its own and a replacement to the now defunct EU-US Privacy Shield agreement is long overdue.
The US can take inspiration from Canada’s national privacy legislation, with PIPEDA recognized by the European Commission as meeting many of the requirements of GDPR despite - chiefly - a different understanding of consent as the legal basis for data processing.
Africa is lagging behind Western pacesetters. There has been a drive from the African Union to catalyze GDPR-like legislation across the continent and half of the continent’s 54 countries have introduced data privacy laws of their own.
South Africa has finally passed its Protection of Personal Information Act (POPI) after five years of work.
But while many of these share key GDPR principles, the continent as a whole lacks enforcement mechanisms and wider disparities provide challenges for multinational organizations operating there.
There is also insufficient funding for the training of civil servants on the subject of data privacy, while the continent’s reliance on cybercafes instead of personal devices makes controlling the misuse of personal data harder.
Overall though, data privacy laws in Africa have developed substantially over the last 3 years and the general trend is positive.
The continent’s data privacy legislation dates back further than the US and the pace of reform in recent years has been striking.
But, while Latin America has long modeled its privacy laws on European precedents to facilitate business, the lack of an overarching framework for the continent is a challenge for multinational organizations.
Under a deal with MERCOSUR, data transfer to the EU is reliant on member Latin American nations introducing GDPR-like legislation, but only a handful of countries - Argentina. Paraguay, Uruguay and Brazil - have made the necessary steps so far.
Asia has also been tightening up its data privacy laws, and several countries in the region have updated legislation to bring it more in line with the European model.
China looms large over the region, and it has introduced its own Personal Information Protection Law (PIPL).
Japanese and South Korean regulations meet GDPR standards for data privacy, and the overall trend is positive. However, the next few years will be a testing time for the region’s data privacy framework as data breaches continue to increase and regulators struggle with enforcement.
The law has also provided a platform for private citizens to challenge companies in court.
Max Schrems is the most famous example here, but there are now many more people who are using private rights of action and class action lawsuits to bring companies to the forefront of the courts.
As with all new laws, GDPR had teething problems and trouble finding its feet.
According to research from DLA Piper, at least a few of the EU member states are becoming more willing to confront big tech companies, and GDPR fines increased by 700% in 2021 - with this trend likely to continue in 2022 too.
The number of data breach notifications received by data protection authorities has also been consistently growing year after year, since the GDPR arrived on the scene in 2018.
GDPR fines have also been the spark for positive changes.
After being hit by a €35.3m fine in October 2020, H&M responded by introducing a swathe of new measures to protect consumer personal data.
This included appointing a new Data Protection Coordinator, as well as creating a long-term data protection strategy.
H&M is also working on paying back compensation to the employees that were affected.
Despite these successes, challenges still remain.
While GDPR is almost fully rolled out across the EU, the depth of integration varies from country to country.
Supervisory authorities also vary in how they interpret GDPR, and enforcement can conflict with different local laws in each state.
There is also a slow turnaround in cross-border investigations at the moment.
This resultant lack of data privacy harmony among EU member states is a real frustration of privacy professionals. It also makes the development of standardized guidance difficult.
That uncertainty still hangs over the business community about compliance does not paint GDPR in a good light.
The wording of the law is highly ambiguous and many companies are loath to spend huge amounts of money redesigning their data systems from the ground up, if they can’t be certain that they will escape fines for the misuse of data.
Companies have also been sent into a spin by the GDPR’s overly broad definition of what a personal data breach is.
The 72-hour breach notification has also created problems for companies, resulting in DPAs being swamped in unnecessary notifications as companies jumped the gun before fully understanding what was going on.
Many tech multinationals are still sticking to business models built on data-harvesting revenue.
This approach faces resistance from a very powerful tech lobby and GDPR violations remain a staple of the daily news. Conflict in this very public data war has included:
The initial optimism around this bill has been slowly replaced by frustration at the slow pace of enforcement.
The number of privacy violations exceeds what regulators can enforce, and a great many remain unaddressed.
In 2021, GDPR regulators were notified about more than 130,000 personal data breaches (DLA Piper).
DPA’s are overworked. Between May 2018 and March 2020, data protection authorities handed out only 231 fines and sanctions - a drop in the ocean next to the 144,376 complaints filed during this time.
They’re also underfunded. A study by web browser, Brave, concluded that regulators have not been given the funding needed to effectively enforce GDPR.
As a result, data protection authorities are reticent about taking big companies to task because of the huge legal budgets available to Facebook and Google, for instance.
Crucially, the number of data protection staff working across the EU has barely increased since 2019 - again because of funding shortages.
The Irish DPC office has been underfunded for over two decades now and the workload is high. It currently has investigations open on at least 17 huge multinational firms.
This is because GDPR has a “one-stop-shop” rule, which says that companies should be prosecuted in whichever member state they choose to situate their headquarters.
Ireland is the number 1 destination for US tech companies - meaning that the Irish DPC is leading investigations into some of the richest and most powerful Silicon Valley firms, on behalf of the whole of Europe.
Innovation conflicts with the protection of individual rights and GDPR appear to be seriously hampering the EU’s capacity to develop new technology.
Knowledge of many important technologies for the future was already widespread when GDPR was being drafted, but the regulations make it all but impossible to develop or even use them.
This comes at a time when the continent desperately needs digital solutions, and there is no practical guidance about how GDPR can accommodate new technologies moving forwards.
This is straightjacketed by strict GDPR requirements to obtain consent when processing data, putting EU firms at a competitive disadvantage next to North American and Asian competitors.
Blockchain is a digital database of information (like financial transaction records) that can be used and shared across a decentralized, publicly accessible network.
This technology is seen as a powerful tool for increasing data security and can be applied to everything from the secure sharing of medical data and voting mechanisms to NFT marketplaces and cross-border payments.
A key feature of blockchain technology is that the intrinsic personal data cannot be modified without the consent of everyone involved.
So, despite blockchain having the potential to meet GDPR objectives - like the secure flow of data and information - the law requires that consumers can request the deletion of personal information, making the two incompatible at present.
GDPR requirements for data minimisation, purpose limitation and transfer of pseudonymised data outside of the EU makes it difficult to share health data.
It has also acted as a powerful check on health management during the COVID pandemic, since it restricted use of tracking data and data exchange between local health authorities.
In the last decade, Electronic Government measures have had a profound impact on the quality of the delivery of public services to citizens, though issues of privacy and security - central to GDPR - are causing momentum to be lost.
The European Commission wants to make it easier for smaller companies to comply with GDPR regulations.
This would mean providing them with extra guidance, support and tools - like Standard Contractual Clauses, which companies can simply paste into their own customer contracts.
This includes seeing data portability beyond just banking and telecoms.
Private right of action and class action lawsuits are clear avenues for advancing how EU citizens can exercise their rights under GDPR.
Such private lawsuits are anticipated to become more common, and these rulings will have a powerful impact on how GDPR will be interpreted in the coming years.
Overall, the GDPR enforcement during the law’s first three years has been reactive - a result of either data breach notifications or data subject complaints.
However, data protection authorities are now becoming much more proactive in targeting companies before any non-compliance issues have been filed.
This sophistication in GDPR enforcement is only anticipated to grow in the years to come.
There is a push to improve how DPAs operate, particularly given how the case against Whatsapp illustrated the convoluted nature of GDPR’s enforcement mechanisms.
Improved effectiveness includes better collaboration between member state data protection authorities, with discussions continuing on how they can better work together to enforce GDPR. There is also support for a more centralized approach to enforcement.
This harmonization includes regional consistency and matching resources to the growing number of requests.
This will replace the ePrivacy Directive, introducing new rules on electronic communications. A draft proposal seen in April 2021 included regulations for artificial intelligence that were in line with GDPR.
Privacy Shield allowed US companies to process EU citizen data, as long as they adopted the GDPR’s higher privacy standards. However, US law meant that the US government could still monitor that data.
After Max Schrems challenged this legal conflict, the Privacy Shield was struck down. It would be in everyone's interest to agree a replacement,
Given its seismic impact on global privacy laws, it is no wonder that GDPR is taking time to bed in.
However, since its introduction in 2018, it has undoubtedly strengthened both security measures and consumer protection.
Much has also been learnt about where GDPR has succeeded and where improvements can be made in the future.
No doubt improvements made by other countries to data privacy legislation will also influence data privacy regulation and enforcement in Europe.
For us, data privacy is an undebatable principle.
We do not sell data or pass it on to any third parties.
Data is aggregated and anonymized, and only used to provide the website owner with the stats and insights needed for improving site performance. These details cannot be traced back to any individual.
From the very first version of our app, our priority has always been the protection and privacy of the data that our customers trust us with.
That is why we are focused on staying up to date with every data privacy law, and making sure that we are compliant with each one: BDSG, CCPA, CPA, DPA, ePrivacy, GDPR, LGPD, PECR, PIPEDA, PIPL, PDP, POPI, VCDPA, & TTDSG.
The types and amounts of personal data we process are limited to those stated in the contract with the customer. We do not share it with third parties. We only process personal data as described in our Privacy Policy.
At TWIPLA, we are aware of the trust that our customers place in our product and team, and our responsibility to keep your data and privacy secure.
Therefore, we are transparent regarding the information we collect when you use our products and services, why we collect it, and how we use it to improve the service for you!
Our Terms of Use & Data Processing Agreement describe how we treat personal data in connection with the use of our App and how we take care of it.
All the data we gather for our customers is confidential information.
TWIPLA’ employee access controls protect customer data from unauthorized access, and we use a special script to access a website owner’s data (both account data and their visitors’ data) and conduct audits to ensure the controls are enforced.
We are proud to be ISO 27001 certified.
ISO 27001 is an internationally recognized standard that ensures that our app meets best practices for an information security management system.
These help our organization manage the security of assets such as financial information, intellectual property, employee details or information entrusted to us by third parties — such as websites and other customers or partners.
Using the innovative TWIPLA’ approach to consentless tracking, companies no longer need cookies or consent banners.
The application does this with a Privacy Center, where users can choose from four different privacy modes:
This is the default privacy setting when you first set up the app. Using this mode, nothing is anonymized. You will be able to access the following types of data: IP Address, Page History, Returning Visitors, Approximate Visitor Location, and Screen Resolution. No cookies are used, but we do use digital fingerprinting. A consent banner is required on the site.
Using this mode, IP addresses are anonymized. You will be able to access the following types of data: Page History, Returning Visitors, Approximate Visitor Location, and Screen Resolution. No cookies are used, but we do use digital fingerprinting. A consent banner is required on the site.
Using this mode, IP addresses are anonymized. You will no longer be able to access page history, but you can still access data on Returning Visitors, Approximate Visitor Location, and Screen Resolution. No cookies are used, but we do use digital fingerprinting. A consent banner is no longer required, as no data is being stored.
Starting with Cookieless Tracking mode, companies can start accessing more data, legally and ethically, without losing any cookie consent banner rejections.
This approach uses digital fingerprints that can later be recognized.
Unlike cookies, fingerprints are not stored on a user’s device and, therefore, cannot provide data about what the visitor does outside of the sessions on that particular site. This makes cross-tracking impossible.
Some anonymized data is stored, but only within the analytics environment and in an aggregated form, making it impossible to associate it with the habits and history of a particular individual.
Using this mode, IP addresses are anonymized, page history is not displayed, returning visitors are only guessed, and screen resolutions are approximate. You will still be able to access approximate Visitor Location. This is our most secure mode as no cookies, fingerprinting, or other data is stored. This means a cookie banner is not required.
Using Complete Protection, no tracking data or cookies are generated or stored and the details of a user’s device are never accessed.
There is no digital fingerprint at all. No personal data is stored. No cookies are used. Only a unique ID.
So, there is no need for consent - one less thing to worry about when managing a website.
This also means that 100% of ethical statistical and analytical data is available for users to rely on when making website improvement decisions.
This data is not considered personal information as long as it is not linked to a specific IP address. By using Cookieless Tracking Mode and Complete Protection Mode, IPs are anonymized.
Unlike cookies (which are set by services in the user’s browser storage), the fingerprint is already set for each browser, as a kind of user agent identifier (browser name, version, screen resolution, etc.)
The fingerprint does not change often, while the unique ID is a different ID generated by us, as a hash on the server for each session.
The fingerprint is NOT stored anywhere on the browser. It usually does not change, unless there is a browser version update, or an uninstallation and reinstallation. It is always calculated on-the-fly.
GDPR and other privacy laws are very specific when it comes to data that can create an approximate individual profile. By not storing any data and by not using IP addresses, activity patterns like page history, or exact locations or device settings, there is no way an individual profile can be identified.
Sign up to Our Newsletter for Regular Nuggets. And don’t worry, we won’t tell sales.