The GDPR took effect a little over two years ago, on the 25th of May 2018. It is the first data protection law that applies to the entirety of the European Union and added high fines for misuse or missing protection mechanisms for personal data. Both companies and private individuals can recieve fines of up to 20.000.000€ or 4% of the annual earnings. Additional documentation requirements for companies, organisations and associations where implemented. Customers profit from clearly defined rights in relation to their own personal data. But after 2 years of GDPR, it’s time to run the numbers: What should be changed?
Many unions critizise that all companies regardless of size are treated equally and want SMEs (Small and Medium-sized businesses) to have reduced documentation requirements. Another issue of heavy discussion is the data export over international borders. Some institutions want laxer regulations about data exports into unsafe countries outside of the European Economic Area. Some technicians critizise the missing specifications about data processing using AI and researchers want easier data transfers of data for research porposes.
Should the GDPR be changed? Is there a faster way?
The GDPR is a law that affects the entirety of the European Union, and it is thus difficult and time intensive to change this law. But maybe this isn’t necessary. The GDPR already requires in Article 97 regulary reports investigating the effects of the law and how it can be optimized. The first report should have been completed on the 25th of May 2020, but the current ongoing pandemic delays this process. After the first report, a new report will be written and reviewed every four years. The European Parlament reviews these reports and debates necessary changes. The GDPR also has an additional way to react quicker to new requirements. The certain articles of this law can be adapted by Codes of Conduct. These Codes of Conduct can be proposed by any association that represents data controllers, and ratified by the Data Protection Authority.
An additional approach would be the addition of a certification system. This system would allow companies that care about data protection to certify themselves and show the world that they took additional measures to protect their customer’s data.