Data protection is already confusing, compounded by the fact that regulators constantly play a game of catch up with emerging technologies.
The GDPR updates 2021 reflect this cat and mouse game, with new court cases and directives changing how organizations should handle personal data. This article will take you through some of the considerable changes to come with the GDPR and how it could affect your business.
Let’s discuss.
Before GDPR Updates 2021
With the GDPR in full swing, both data subjects and organizations are getting used to seeing its effects all over the internet. From cookie banners to data subject access requests, the GDPR has left its mark.
As a reminder, the purpose of the GDPR is to protect the privacy rights of data subjects. The spirit of the law surrounded the seven principles:
- Lawfulness, Fairness, and Transparency: personal data shall be processed lawfully, with fairness to the data subject, and fully transparent.
- Purpose Limitation: The organization shall process personal data concerning the contract or business operation, which are explicit or specified before processing.
- Data Minimization: data shall not be held or processed further than is required for the purpose.
- Accuracy: data must be updated, rectified, or erased if inaccurate.
- Storage Limitation: you cannot keep personal data longer than necessary; your data retention must have a deletion time.
- Integrity and Confidentiality: all personal data must be kept secure and protected against theft, accidental loss, unlawful processing, or damage.
- Accountability: Organisations must be able to demonstrate that they put appropriate technical and organizational safeguards in place.
These principles remain the barometer of compliance. Organizations should continue to uphold these principles if they wish to remain compliant, along with the more practical steps. The GDPR updates 2021 have widely concerned the more technical aspects of the law. With regulators putting more pressure on data controllers. In the coming sections, we will discuss the most significant changes to the regulations, specifically those that might affect your online business.
Assess your GDPR compliance
Ease For Data Subjects To Exercise Rights
Regulators have expressed their desire to make it easier for data subjects to exercise their rights.
Currently, there are very few tools available for data subjects to express concerns with organizations processing their data. For instance, a Data Subject Access Request (DSAR) must be supplied by the data subject via a written channel.
Unfortunately, many organizations make it difficult for the data subject to request a DSAR, even though this is a grievous violation. Another change that concerns the data subject’s rights is the right to portability. Regulators are putting more pressure on organizations to allow personal data portability across geographical borders and organizations. Simultaneously, easy portability appears in the banking and telecommunication sector (both of which are already heavily regulated).
Although these changes affect the data subject, they will have compounding effects on the organization processing their data. Easier DSARs mean you might be seeing more of them; new data portability requirements mean you will need to make that data readily available to your customers.
Updates To Cookie Consent
The most significant change to come to the GDPR was released in October 2020, which concerns cookie consent.
Cookie consent and cookie policies have always been a heated debate in the privacy sphere for a while now. Cookies are an excellent addition to marketing campaigns because tracking and profiling cookies make it easy to know your consumer on a deeper level. But when it comes to privacy, there are some concerns. Although a lot of cookie data is anonymized, you can still use them to identify others because modern data processing techniques can use metadata to profile and identify the individual quickly.
The GDPR recognizes this data as “special categories,” In most cases, you will need an excellent reason to process this kind of data. However, regulators are not anti-cookies; they just require explicit consent. And this is where the changes are coming in; cookie consent is changing. The first significant change that will affect many American companies is you can no longer bar access to your site behind a cookie wall.
A cookie wall refers to the practice of making access to a service or site conditional on cookie acceptance. Meaning users who choose to opt-out of cookie tracking can no longer browse your website. This practice is going to become a violation of rights in the GDPR updates of 2021.
The second significant change comes in the form of granular consent. You can no longer have one accept-all cookie policy. You must state explicitly to your users what each cookie does and give them the option to consent to each cookie separately. You can not have preselected “accept all cookies” enabled; instead, they should be set to reject by default.
Lastly, users must be able to withdraw consent as quickly as they gave it. So, if your website is cookie compliant, withdrawal should be as easy as the click of a button.
GDPR and Brexit
One of the most important geopolitical news stories of 2020 was the United Kingdom’s finalized exit from the European Union. Brexit’s lasting effects are still to be seen, but one sure thing is the short-term chaos it has caused with trade deals, fishing, logistics, etc.
However, one element of post-Brexit that has remained relatively stable is data protection laws. Under the EU GDPR, the UK is now considered a third country. Third-country organizations have slightly stricter compliance requirements. For example, UK organizations will now have to assign a GDPR representative in the European Union if they do not have an office in one of the member state countries.
Conversely, one of the other changes with Brexit is that the UK has its version of the GDPR, imaginatively called the UK GDPR. The compliance requirements are widely the same but apply to UK data subjects.
EU and Non-UK organizations will require a UK GDPR representative if they do not have an office within the UK and process the personal data ok UK data subjects.
Changes to Joint Controllers
The final change coming to the GDPR is the definition of a joint controller. Regulators are expanding what defines a joint controller. In a couple of court cases against Facebook, the EU Court of Justice found that anyone running a fan page on the Facebook platform would be considered a joint data controller.
However, this does not mean the fan page administrators are equally responsible as Facebook; they have shared responsibility. It was made clear during the case that Facebook ultimately decided what happened with the personal data. But there was a need for fan pages to be as compliant as possible, given the nature of personal data processing.
How RSI Security Can Help You With GDPR Compliance
The GDPR is a complex and evolving legislation, with new information coming out consistently. It should not be your number one priority to keep up to date with data protection laws; you can leave that to the experts.
RSI Security is the nation’s premier cybersecurity provider, and with our experience in data protection, we can help you achieve GDPR compliance. Leave GDPR updates 2021 to us so you can keep doing what you do best. Get in contact today and schedule a consultation here.