CS Nov-Dec 2022

GDPR
their reputation doesn't suffer as a result of
a management error or data protection
oversight.
"When companies are entrusted with their
customers' sensitive data, there are no
measures that go too far. They must be
aware that they are custodians of any data
they collect, process and use, and it is
therefore their responsibility to ensure that
this data is protected. This needs to go
beyond a simple box-ticking exercise to
ensure GDPR compliance, and instead
a business-wide culture of transparency
and responsibility must be adopted. When
it comes to data protection, this should
include a full business continuity strategy
that includes resilience measures, along with
secure, immutable backups and disaster
recovery solutions that can be drawn upon,
if data is maliciously accessed."
WHATSAPP ALSO HIT HARD
Last year, the DPC fined WhatsApp 225
million euros, at that time the largest fine
ever from the commission and the second
highest under EU GDPR rules. Facebook
(now Meta), which also owns WhatsApp,
has its EU headquarters in Ireland. The fine
relates to an investigation that began in
2018 about whether WhatsApp had been
transparent enough about how it handles
information. The issues involved were highly
technical, including whether WhatsApp
supplied enough information to users about
how their data was processed and if its
privacy policies were clear enough. Those
policies have since been updated several
times.
"WhatsApp is committed to providing a
secure and private service," a company
spokesperson said at the time, as reported
by the BBC: "We have worked to ensure the
information we provide is transparent and
comprehensive and will continue to do
so. We disagree with the decision today
regarding the transparency we provided to
people in 2018 and the penalties are entirely
disproportionate." GDPR rules allows
for fines of up to 4% of the offending
company's global turnover.
Clearly, the GDPR is proving effective, with
the large fines administered so far to some
big-name companies proving a reminder
and deterrent to others when it comes to
responsible management of data. All of
which underscores the seriousness of
purpose with which the regulations were
planned. More than four years down the
line since the regulations came into force,
it's worth looking back at how they were
structured and the European Commission's
take on how effective they have proved
since.
First off, the European Commission accepts
that most of the issues that are identified by
Member States and stakeholders will most
likely benefit from more experience in the
application of the Regulation in the coming
years. "Increasing global convergence
around principles that are shared by the
GDPR offers new opportunities to facilitate
safe data flows, to the benefit of citizens
and businesses alike," it states.
IMPROVEMENTS WITH GDPR
Businesses, including SMEs, now have just
one set of rules to which to adhere. "The
GDPR also creates a level playing field
with companies not established in the EU
but operating here. By establishing a
harmonised framework for the protection
of personal data, the GDPR ensures that all
businesses in the internal market are bound
by the same rules and benefit from the
same opportunities, regardless of whether
they are established and where the processing
takes place. In addition, privacy has
become a competitive quality that
customers are increasingly taking into
consideration when choosing their services.
For SMEs, the implementation of the right
to data portability has the potential to lower
the barriers to entry to data protection
friendly services. Compliance with the data
protection rules and their transparent
application will create trust between
business and consumers when it comes
to the use of their personal data."
NEW TECHNOLOGIES
The GDPR is seen as an essential and
flexible tool to ensure the development
of new technologies, in accordance with
fundamental rights. "The implementation
of the core principles of the GDPR is
particularly crucial for data intensive
processing. The risk-based and technologyneutral
approach of the Regulation
provides a level of data protection, which
is adequate to the risk of the processing
also by emerging technologies."
The GDPR's technologically-neutral and
future-proof approach was put to the test
during the COVID-19 pandemic and has
proven to be successful. Its principles-based
rules supported the development of tools
to combat and monitor the spread of the
virus. The future-proof and risk-based
approach of the GDPR is also being applied
in the EU framework for Artificial
Intelligence and in the implementation
of the European Data Strategy, aimed at
fostering data availability and at the
creation of Common European Data
Spaces.
GLOBAL PROTECTION STANDARDS
The GDPR has emerged as a reference point
and acted as a catalyst for many countries
and states around the world considering
how to modernise their privacy rules.
International instruments, such as the
modernised 'Convention 108' of the Council
of Europe or the 'Data Free Flow with Trust'
initiative launched by Japan are also based
on principles that are shared by the GDPR.
This trend towards global convergence
brings new opportunities for increasing the
protection of Europeans, while, at the same
time, facilitating data flows and lowering
transaction costs for business operators.
The GDPR offers a modernised toolbox to
www.computingsecurity.co.uk @CSMagAndAwards Nov/Dec 2022 computing security
39