Basically, the General Data Protection Regulation focuses on the right to privacy – giving people access to their personal data – allowing people to control how companies, including data vendors, use their personal information.
The GDPR – a series of privacy laws in the European Union – has an additional scope, meaning that platforms and websites outside the EU that collect PII of those inside the EU must also comply with its guidelines.
The biggest consequence of this so far in terms of money was the $1.3 billion fine this week on Meta and the ban on the processing of user data in the European Union in the US.
As the consent management platform Cookiebot explains, the GDPR regulations state that a website dealing with visitors from within the EU, and before processing personal information must:
- Obtain clear and unambiguous consent from users.
- Mention the cookies and other tracking technology available and working on its website, in easy-to-understand ways that enable users to accept and deny permission for each set of cookies.
- The ability to securely and privately record each user’s consent and the ability to request renewed consent on a regular basis.
Experts praise GDPR but say more is needed
Several experts weighed in on the benefits of GDPR at WithSecure’s Sphere23 event in Helsinki, Finland.
“The European Commission is criticized for many things, but GDPR is one thing that can raise its head and say, ‘We have led the world in this.’ As big events go, it’s like climbing Everest. And it seems to be working as other authorities follow suit,” said Paul Brucciani, a cybersecurity consultant at WithSecure.
He said that the fragmentation of the Internet, driven by the search for energy, created the problems that the EU faced with the GDPR, and that it is also applying to new technologies. “For example, AI is the next big area that will need to be regulated, and the EU has also started in this regard with the proposed AI Act, legislation that aims to be user-friendly, future-proof and robust. disruption,” he said.
Sylvain Cortes, VP of strategy at Hackuity, said it’s a good start, but not enough.
“Compliance is important, but we encourage organizations to take the opportunity to think beyond the requirements to create a culture of continuous technological change,” he said. “It is important to remember that achieving compliance should not be considered as a ‘push test’ and a last-ditch effort to get an annual or quarterly audit. The goal is to achieve more than what is required and move away from the tick-box mentality. GDPR compliance is important, but it is not enough for modern organizations,” he added.
Ripples of influence over Europe (in the US)
Although the US does not have national privacy laws, eight states have enacted privacy laws or limited laws that give consumers control over how their data is sold. Some of them are:
Maine, Colorado, Utah, Iowa, Indiana and Connecticut they are also on the growing list of countries that have privacy or cooperative laws. Montana, Texas and Florida also have similar bills awaiting governors’ signatures.
Jeff Reich, CEO of the Identity Defined Security Alliance, said these regulations and others are coming with GDPR.
“The rock in the pond that is GDPR continues to create ripples that affect everything around it,” he said. “Seven years after the GDPR was implemented, five years after enforcement began, it is difficult not to see the consequences of this law, until now. Businesses and sellers know what they must do, although they do not know how to do it. The best change is for consumers.”
He said the biggest long-term benefit could be consumers’ ability to value their information and the security that protects their data.