So what has gone well and what has gone less well?
One of the main purposes of the legislation was to get the topic of data privacy on the agendas of boards – and this has worked well. The law has increased transparency, proportionality and fairness in the way companies treat personal data. In addition, although there was an initial fear that the GGPR might in practice be quite toothless because regulators were failing to use their power to impose significant fines on companies in breach, in the last couple of years, fines have been increasing. This should only help increase compliance further.
Less effective, perhaps, has been the harmonisation of data privacy rules throughout the EU. Harmonisation has certainly improved, but there is still no ‘one-stop shop’ by which companies can take advice in one country and apply it to all. The rules are still to some extent interpreted differently in different places – with even different regions in Germany, for example, seeing variation in application. This can, unfortunately, make it costly for companies to comply with the GDPR.
What we will be the future for data privacy legislation? We think the interplay between this and emerging AI will be the area to watch.
Meanwhile, enjoy our video discussion below.
To mark the fifth anniversary of the GDPR, data protection experts Alexander Milner-Smith of Ius Laboris UK and Inger Verhelst of Ius Laboris Belgium sit down to reflect on their experiences to date and to think about the challenges that lie ahead for employers when it comes to data protection in the EU and beyond.